Business Associate Agreement (BAA)
This Business Associate Agreement (“Agreement”) is entered into by and between ___________________ (the “Covered Entity”) and Testimonial Tree, Inc. and/or an affiliated or managed entity or subsidiary, whether now existing or in the future created, (the “Business Associate”) (each a “Party” and collectively the “Parties”). This Agreement shall be effective as of the date the Business Associate commenced providing services for the Covered Entity (the “Effective Date”).
Business Associate provides certain services for Covered Entity (“Services”) that involve the use and disclosure of Protected Health Information (“PHI”), whether pursuant to a written subscription agreement (the “Subscription Agreement”) or other understanding. The Parties are committed to complying with the Standards for Privacy of Individually Identifiable Health Information, 45 C.F.R. Part 160 and Part 164, Subparts A and E (the “Privacy Rule”),45 CFR 164, Subpart C (the “Security Rule”) and 45 CFR Subpart D, (the “Breach Notification Rule”) under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as amended from time to time, including as amended by the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009 and any implementing regulations. This Agreement sets forth the terms and conditions pursuant to which PHI, including PHI in electronic form (“EPHI”) that is accessed, created or received by Business Associate from or on behalf of Covered Entity will be handled. In the event of a conflict between this Agreement and any existing Subscription Agreement, this Agreement shall govern to the extent necessary to resolve the conflict in a manner that ensures Covered Entity’s compliance with HIPAA.
The Parties agree as follows:
All capitalized terms used in this Agreement not otherwise defined shall have the meaning set forth in the Privacy Rule or the Security Rule, or the Breach Notification Rule including the HITECH Act and any implementing regulations, as applicable, unless otherwise defined in this Agreement.
- PERMITTED USES AND DISCLOSURES OF PHI
2.1 Unless otherwise limited herein, Business Associate may:
- use or disclose PHI to perform functions, activities or Services for, or on behalf of, Covered Entity as specified in the Subscription Agreement, if any, provided that such use or disclosure would not violate the Privacy Rule or Security Rule if done by Covered Entity or the minimum necessary policies and procedures of Covered Entity;
- disclose PHI for the purposes authorized by this Agreement only: (i) to its employees, subcontractors and agents, in accordance with Section 3.1(f) of this Agreement; (ii) as directed by this Agreement; or (iii) as otherwise permitted by the terms of this Agreement;
- use PHI in its possession to provide Data Aggregation Services to Covered Entity as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B);
- use PHI in its possession for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate;
- disclose the PHI in its possession to third parties for the proper management and administration of Business Associate, provided that disclosures are: (i) Required by Law, or (ii) the Business Associate has received from the third party reasonable written assurances regarding its confidential handling of such PHI as required under 45 C.F.R. § 164.504(e)(4)(ii);
- use PHI to report violations of law to appropriate Federal and State authorities, consistent with 45 C.F.R. § 164.502(j)(1); and
- use and/or disclose PHI, to the extent and in the manner permitted under 45 C.F.R. § 164.512, provided, however, that the use or disclosure of PHI for research permitted under 45 C.F.R. § 164.512(i) shall only be permitted with the prior written approval of Covered Entity, which approval may be granted or withheld in Covered Entity’s sole and absolute discretion.
2.2 All other uses of PHI not specifically authorized by this Agreement are prohibited.
- RESPONSIBILITIES OF THE PARTIES WITH RESPECT TO PHI AND EPHI
3.1 Responsibilities of Business Associate. With regard to its use and/or disclosure of PHI, Business Associate shall:
- use and/or disclose the PHI only as permitted or required by this Agreement or as otherwise required by law;
- report to the Privacy Officer of Covered Entity, in writing, any use and/or disclosure of the PHI that is not permitted or required by this Agreement of which Business Associate becomes aware, within ten (10) days of the Business Associate’s discovery of such unauthorized use and/or disclosure;
- mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of this Agreement;
- use commercially reasonable efforts to maintain the security of the PHI and to prevent use and/or disclosure of such PHI other than as provided herein;
- require all of its subcontractors and agents that receive, use, or have access to, PHI to agree, in writing to adhere to the same restrictions and conditions on the use and/or disclosure of PHI that apply to the Business Associate pursuant to this Agreement and take reasonable steps to monitor compliance with and, if necessary, to enforce that agreement;
- make available all internal practices, records, books, agreements, policies and procedures relating to the use and/or disclosure of PHI available to the Secretary of the U.S. Department of Health and Human Services for purposes of determining the Covered Entity’s compliance with HIPAA;
- upon ten (10) days’ prior written request, make available during normal business hours at Business Associate’s offices all internal practices, records, books, agreements, policies and procedures relating to the use and/or disclosure of PHI to the Covered Entity for purposes of enabling the Covered Entity to determine the Business Associate’s compliance with the terms of this Agreement;
- document any disclosure of PHI and information related to such disclosure and, within ten (10) days of receiving a written request from the Covered Entity, provide to the Covered Entity such information as is requested by the Covered Entity to permit the Covered Entity to respond to a request by an individual for an accounting of the disclosures of the individual’s PHI in accordance with 45 C.F.R. § 164.528;
- subject to Section 4.3 of this Agreement, return to the Covered Entity within fifteen (15) days of the termination of this Agreement, the PHI in its possession and retain no copies, including backup copies;
- disclose to its subcontractors, agents or other third parties, and request from the Covered Entity, only the minimum PHI necessary to perform or fulfill a specific function required or permitted hereunder; and
- if all or any portion of the PHI is maintained in a Designated Record Set:
(i) upon ten (10) days’ prior written request from Covered Entity, provide access to the PHI in a Designated Record Set to the Covered Entity or, as directed by Covered Entity, the individual to whom such PHI relates or his or her authorized representative to meet a request by such individual under 45 C.F.R. § 164.524; and
(ii) upon ten (10) days’ prior written request from Covered Entity, make any amendment(s) to the PHI that the Covered Entity directs pursuant to 45 C.F.R. § 164.526.
3.2 Responsibilities of Covered Entity. Covered Entity shall:
- provide Business Associate a copy of the Covered Entity’s notice of privacy practices (“Notice”) currently in use;
- notify Business Associate of any limitations in the Notice pursuant to 45 C.F.R. § 164.520, to the extent that such limitations may affect Business Associate’s use or disclosure of PHI;
- notify Business Associate of any changes to the Notice that Covered Entity provides to individuals pursuant to 45 C.F.R. §164.520, to the extent that such changes may affect Business Associate’s use or disclosure of PHI;
- notify the Business Associate of any changes in, or withdrawal of, the consent or authorization of an individual regarding the use or disclosure of PHI provided to the Covered Entity pursuant to 45 C.F.R. §164.506 or §164.508 within ten (10) days, to the extent that such changes may affect Business Associate’s use or disclosure of PHI; and
- notify Business Associate, in writing, of any restrictions on use and/or disclosure of PHI as provided for in 45 C.F.R. § 164.522 agreed to by the Covered Entity, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.
3.3 Additional Responsibilities of Business Associate with Respect to EPHI. In the event Business Associate has access to EPHI, in addition to other requirements set forth in this Agreement relating to PHI, Business Associate shall:
1.implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of EPHI that Business Associate creates, receives, maintains, or transmits on behalf of Covered Entity in compliance with 45 CFR §§164.306; 164.308, 164.310, 164.312, 164.314 and 164.316 and, which shall include, without limitation: (i) encrypting EPHI that Business Associate stores and transmits, (ii) implementing strong access controls, including physical locks, firewalls and strong passwords, (iii) using and updating antivirus software, (iv) adopting contingency planning policies and procedures, including data backup and disaster recovery plans, and (v) conducting periodic security training;
- ensure that any subcontractor or agent to whom Business Associate provides any EPHI agrees in writing to implement reasonable and appropriate safeguards to protect that information and take reasonable steps to monitor compliance with and, if necessary, enforce that agreement; and
- report to the Privacy Officer of Covered Entity, in writing, any Security Incident involving EPHI of which Business Associate becomes aware, within ten (10) days of the Business Associate’s discovery of such incident. For purposes of this section, a Security Incident shall have the meaning set forth in the Security Rule at 45 C.F.R. § 164.304, which defines Security Incident to mean the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with systems operations in an information system.
3.4 Duties of Business Associate Involving Breach of Unsecured PHI under the HITECH Act.
Discovery of Breaches. Without waiver of Business Associate’s obligations as to encryption of EPHI under Section 3.3(a) of this Agreement, Business Associate will establish effective systems to monitor for and detect a Breach of Unsecured PHI accessed, maintained, retained, modified, stored, destroyed or otherwise held or used by Business Associate, whether the Unsecured PHI is in paper or electronic form.
- Reporting of Breach of Unsecured PHI. Business Associate shall report to Covered Entity’s Privacy Officer in writing any Breach of Unsecured PHI of which it becomes aware within five (5) days. Written notice shall contain the date of discovery and, to the extent known to Business Associate at that time, the identity of the individuals whose Unsecured PHI was subject to the Breach and the circumstances of the Breach. Business Associate shall not delay the foregoing notice to Covered Entity for investigation of the Breach but shall, after providing the notice, continue the investigation diligently until all information, including the names of all individuals whose PHI was subject to the Breach and all circumstances relating to the Breach have been reported to Covered Entity. Business Associate shall use best commercial efforts to complete any such further investigation within seven (7) days of the date Business Associate provided notice of the Breach to the Covered Entity and shall advise Covered Entity if Business Associate does not anticipate being able to do so, including the reasons for Business Associate’s inability to do so and the estimated completion date, which shall in no event be later than ten (10) days after the notice was initially provided to Covered Entity. If requested by Covered Entity, Business Associate shall assist Covered Entity in any assessment by the Covered Entity of the risk to the individuals whose PHI was subject to the Breach. Business Associate shall provide Covered Entity with updates of information concerning the details of such breach as needed to ensure that such information remains current and complete and shall also cooperate with Covered Entity in taking any steps requested or approved by Covered Entity to mitigate the harm to individuals arising from the Breach.
- Notification to the Individual. It is the sole responsibility of the Covered Entity to notify its patients of any Breach of PHI. At no time is the Business Associate to contact or speak directly to any of Covered Entity’s patients/individuals who are the subject of any Breach. Any such inquiries should be directed to the Covered Entity’s Privacy Officer. Business Associate shall cooperate with Covered Entity as necessary to provide such notification and any details pertaining to any Breach of PHI.
- Cooperation with Law Enforcement. Business Associate shall cooperate with Covered Entity in the event law enforcement officials institute an investigation that involves a Breach of PHI under this Agreement.
- Notification to Media. For a Breach of unsecured PHI involving more than 500 individuals, it is solely the responsibility of Covered Entity to notify the media and appropriate law enforcement and federal and state agencies as required by the HITECH Act, 45 C.F.R. 164.406. At no time is the Business Associate to contact or speak directly or indirectly to the media without the prior authorization of Covered Entity. Business Associate shall cooperate with Covered Entity as necessary to provide such notification to the media.
- Other Obligations. The obligations of Business Associate under this Section 3.4 are in addition to, and not in derogation of, the other obligations of Business Associate under this Agreement, including but not limited to the obligations of Business Associate under Sections 3.1(b), 3.1(h), and 3.3(c) of this Agreement. To the extent a use or disclosure of PHI, including EPHI, implicates more than one provision of this Agreement, Business Associate shall act in a manner that satisfies each such provision.
- TERM AND TERMINATION
4.1 Term. This Agreement shall become effective on the Effective Date and shall continue in effect unless terminated as provided in this Article 4. Certain provisions and requirements of this Agreement shall survive its expiration or other termination as set forth in Section 5.1 herein.
4.2 Termination by Covered Entity. Pursuant to 45 C.F.R. §§ 164.504(e)(2)(iii) and 164.314(a)(2)(i)(D), the Covered Entity may immediately terminate this Agreement and any related agreements, including, but not limited to, any Subscription Agreement, if the Covered Entity determines in good faith that the Business Associate has breached a material term of this Agreement; provided, however, that the Covered Entity may not terminate this Agreement if Business Associate cures such breach to the reasonable satisfaction of the Covered Entity within ten (10) days after Business Associate’s receipt of written notice of such breach. If Business Associate’s efforts to cure any breach are unsuccessful, and termination of the Subscription Agreement is not feasible, Covered Entity shall have the right to report Business Associate’s breach to the Secretary pursuant to 45 C.F.R. §§ 164.504(e)(1)(ii)(B) and 164.314(a)(1)(ii)(B).
4.3 Effect of Termination. Upon termination or expiration of this Agreement for any reason, Business Associate shall return all PHI pursuant to 45 C.F.R. § 164.504(e)(2)(ii)(I) if, and to the extent that, it is feasible to do so. Prior to doing so, Business Associate shall recover any PHI in the possession of its subcontractors or agents. To the extent it is not feasible for the Business Associate to return or destroy any portion of the PHI, the Business Associate will provide Covered Entity written notice setting forth, at a minimum: (i) a statement that Business Associate has determined that it is infeasible to return or destroy all or some portion the PHI in its possession or in possession of its subcontractors or agents; (ii) the specific reasons for such determination; and (iii) a reasonably detailed description of the affected PHI. Business Associate shall extend any and all protections, limitations and restrictions contained in this Agreement to any PHI retained after the termination of this Agreement until such time as Business Associate certifies in writing that all such PHI has been returned to Covered Entity or destroyed, and shall limit any further uses and/or disclosures by Business Associate, or its subcontractors or agents, to the purposes that make the return or destruction of the PHI infeasible.
- 1 Survival. The respective rights and obligations of Business Associate and Covered Entity under the provisions of Sections 4.3, 5.1, 5.3, 5.4, 5.6, 5.7, and 5.8, and Sections 2.1, 3.1, and 3.3 solely with respect to PHI Business Associate retains in accordance with Section 4.3 because it is not feasible to return or destroy such PHI, shall survive termination of this Agreement indefinitely.
- 2 Amendments; Waiver. This Agreement may not be modified, nor shall any provision hereof be waived or amended, except in a writing duly signed by authorized representatives of the Parties. A waiver with respect to one event shall not be construed as continuing, or as a bar to or waiver of any right or remedy as to subsequent events.
- Notwithstanding the foregoing, the parties agree that in the event that Covered Entity determines that the provisions of this Agreement require amendment, including amendment to comply with provisions of the HITECH Act which are effective after the date of this Agreement or other legal or regulatory changes applicable to Business Associates, Covered Entity may provide Business Associate with a modification to this Agreement, which shall be deemed accepted and agreed to by the Business Associate unless, within ten (10) days after receipt of the modification, Business Associate provides Covered Entity with written objections to the modification and an explanation of the basis for the objections in reasonable detail. Upon receipt of a timely statement of objection from Business Associate, Covered Entity may either terminate, without cost or penalty, the Subscription Agreement(s) to the extent that, in the reasonable judgment of Covered Entity, the Service Agreement(s) is affected by the proposed modification (“Affected Agreement(s)”) on not less that thirty (30) days notice or may notify Business Associate to begin negotiations for changes to the modification that are reasonably acceptable to both parties and necessary to ensure continued compliance with applicable laws and regulations. If the parties are unable to agree on changes to the modification within ten (10) days of the notice to begin negotiations, Covered Entity will have the option to terminate the Affected Agreement(s).
- 3 No Third Party Beneficiaries. Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than the Parties and the respective successors or assigns of the Parties, any rights, remedies, obligations, or liabilities whatsoever.
- 4 Notices. Any notices to be given hereunder to a Party shall be made via U.S. Mail or express courier to such Party’s address given below, and/or (other than for the delivery of fees) via facsimile to the facsimile telephone numbers listed below.
- If to Covered Entity, to: with a copy to (which does not constitute notice):
- Attention: __________________ Attention: __________________
- Telephone: __________________ Telephone: __________________
- Telecopy: __________________ Telecopy: __________________
If to Business Associate, to:
23150 Fashion Dr., Suite 238
Estero FL 33928
With an electronic and physical copy to Business Associate’s counsel, at:
Cory Seegmiller, Esq.
6017 Pine Ridge Road, Suite 178
Naples, FL 34119
Each Party named above may change its address and that of its representative for notice by the giving of notice thereof in the manner hereinabove provided. Such notice is effective upon receipt of notice, but receipt is deemed to occur on next business day if notice is sent by FedEx or other overnight delivery service.
- 5 Counterparts; Facsimiles. This Agreement may be executed in any number of counterparts, each of which shall be deemed an original. Facsimile copies hereof shall be deemed to be originals.
5.6 Confidentiality Obligations. In the course of performing under this Agreement, each Party may receive, be exposed to or acquire the Confidential Information including, but not limited to, all information, data, reports, records, summaries, tables and studies, whether written or oral, fixed in hard copy or contained in any computer database or computer readable form, as well as any information identified as confidential (“Confidential Information”) of the other Party. For purposes of this Agreement, Confidential Information shall not include PHI, which is the subject of this Agreement and is provided for elsewhere. The Parties, including their employees, agents or representatives (i) shall not disclose to any third party the Confidential Information of the other Party except as otherwise permitted by this Agreement, (ii) shall only permit use of such Confidential Information by employees, agents and representatives having a need to know in connection with performance under this Agreement, and (iii) shall advise each of their employees, agents, and representatives of their obligations to keep such Confidential Information confidential. Notwithstanding anything to the contrary herein, each Party shall be free to use, for its own business purposes, any ideas, suggestions, concepts, know-how or techniques contained in information received from each other that directly relates to the performance under this Agreement. This provision shall not apply to Confidential Information: (a) after it becomes publicly available through no fault of either Party; (b) which is later publicly released by either Party in writing; (c) which is lawfully obtained from third parties without restriction; or (d) which can be shown to be previously known or developed by either Party independently of the other Party.
- 7 Choice of Law; Interpretation. This Agreement shall be governed by the laws of the State of Florida, excluding any conflict of laws provisions that would require the application of the laws of any other jurisdiction, provided, however, that any ambiguities in this Agreement shall be resolved in a manner that allows the Covered Entity to comply with the Privacy Rule and Security Rule. Each party (a) submits to the exclusive jurisdiction of any state or federal court sitting in Lee County in the State of Florida in any action or proceeding arising out of or relating to this Agreement; (b) agrees that all claims in respect of such action or proceeding may be heard and determined only in any such court; (c) waives any claim of inconvenient forum or other challenge to venue in such court; and (d) agrees not to bring any action or proceeding arising out of or relating to this Agreement in any other court.
IN WITNESS WHEREOF, each of the undersigned has caused this Agreement to be duly executed in its name and on its behalf as of the Effective Date.
BUSINESS ASSOCIATE: COVERED ENTITY:
On behalf of Testimonial Tree, Inc. and its affiliates and subsidiaries