BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement ("BAA") is entered into this _ day of _ (“Effective Date”) by and between Springbuk, Inc. (the "Business Associate") and [Company Name] as sponsor of [Company Name] Group Benefit Plan (the "Covered Entity") (each a "Party" and collectively the "Parties") for the purposes of compliance with the requirements established by the Standards for Privacy of Individually Identifiable Health Information and by the Security Standards for the Protection of Electronic Protected Health Information published by the U.S. Department of Health and Human Services Office for Civil Rights under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") with respect to the use, protection and disclosure of Protected Health Information ("PHI").
Background. The Business Associate is providing Services to the Covered Entity pursuant to a separate Master Subscription and Professional Services Agreement in place between Covered Entity or its vendor [Partner Name] (the "Underlying Agreement") and Business Associate which will involve disclosure of PHI by the Covered Entity or its vendors to Business Associate and may include disclosure of PHI from Business Associate back to Covered Entity. In addition, Covered Entity, and/or its vendors, and Business Associate may be receiving and/or transferring PHI electronically which will be subject to HIPAA security requirements for ePHI. For purposes of this BAA, any and all notices required under this BAA shall be sent to the administrator of the group benefit plan (“Plan Administrator”)
Now, Therefore, intending to be legally bound, the Parties agree as follows:
- Definitions. Capitalized terms used, but not otherwise defined, in this BAA shall have the same meanings set forth in HIPAA and the Health Information Technology for Economic and Clinical Health Act provisions of the American Recovery and Reinvestment Act of 2009 ("ARRA") and as those terms are defined in 45 CFR including particularly parts 160.103, 164.103, 164.304 and 164.50, as amended from time to time.
- Obligations and Activities of Business Associate. Business Associate agrees to:
- use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to electronic PHI to prevent any use or disclosure of PHI other than as permitted by law and required by this BAA.
- prevent use or disclosure of the PHI other than as provided for by this BAA and the Underlying Agreement and implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic PHI that it receives, maintains or transmits on behalf of the Covered Entity.
- report to Covered Entity any use or disclosure of the PHI not provided for by this BAA as well as any security incident of which it becomes aware, including breaches of unsecured PHI as required by 45 CFR 164.410. This section constitutes ongoing notice to Plan Administrator of unsuccessful security incidents like pings on firewalls, port scans, and malware that do not result in unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.
- ensure that any subcontractors to whom it provides PHI received from, or created, maintained, or transmitted by Business Associate on behalf of the Covered Entity agree to the same restrictions and conditions that apply through this BAA to Business Associate with respect to such information, and agree to implement reasonable and appropriate safeguards to protect PHI.
- provide access, at the request of Covered Entity, to PHI in a Designated Record Set to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 CFR 164.524. Business Associate shall identify the records in its possession that are components of a Designated Record Set and shall consider those records as a Designated Record Set in satisfying its obligation under the BAA. Business Associate shall make such determination in accordance with 45 C.F.R. §164.501.
- make any amendment(s) to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 CFR 164.526 at the request of Covered Entity or an Individual, in order to meet the requirements under 45 C.F.R. 164.526.
- make internal practices, books, and records relating to the use and disclosure of PHI received from, created or received by Business Associate on behalf of Covered Entity available to the Secretary of HHS, in a time and manner designated by the Secretary of HHS, for purposes of the Secretary of HHS determining Covered Entity's compliance with the Privacy Rule.
- document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR 164.528.
- provide to Covered Entity or an Individual, in time and manner designated by Covered Entity, information collected in accordance with 2 (i) of this BAA, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR 164.528. Business Associate shall provide an accounting of disclosures in accordance with this section and as required by 42 U.S.C. 17935 if PHI is contained in an Electronic Health Record.
- with respect to any use or disclosure of Unsecured PHI not permitted by the Privacy Rule that is caused solely by Business Associate's failure to comply with one or more of its obligations under this BAA, Covered Entity hereby delegates to Business Associate the responsibility for determining when any such incident is a Breach of Unsecured PHI and for providing all legally required in accordance with the security breach notification requirements set forth in 42 U.S.C. §17932 and 45 C.F.R. Parts 160 & 164 subparts A, D & E, and shall pay for the reasonable and actual costs associated with such notifications. In the event of a Breach of Unsecured PHI, without unreasonable delay, and in any event no later than forty-five (45) calendar days after discovery of the Breach of Unsecured PHI, Business Associate shall provide Covered Entity with written notification that includes a description of the Breach of Unsecured PHI, a list of affected Individuals and a copy of the template notification letter to be sent to affected individuals.
- to the extent the Business Associate is to carry out Covered Entity's obligations under the HIPAA Privacy requirements, comply with such requirements that apply to Covered Entity in the performance of such obligation.
- not make or cause to be made and written fundraising communication or communication about a product or service that is prohibited by 42 U.S.C. §17936 (a) and (b).
- not directly or indirectly receive remuneration in exchange for any PHI as prohibited by 42U.S.C. §17935(d).
- Minimum Necessary. To the extent required by HIPAA, Business Associate will limit any use, disclosure, or request for use or disclosure of PHI to the minimum amount necessary to accomplish the intended purpose of the use, disclosure, or request.
- Permitted Uses and Disclosures by Business Associate. Except as otherwise limited in this BAA, Business Associate may use or disclose PHI to perform functions, activities, or services for, or on behalf of, Covered Entity as specified in the Underlying Agreement, provided that such use or disclosure would not violate the Privacy Rule if done by Covered Entity, and further, Business Associate may:
- use PHI for the proper management and administration of the Business Associate or to carry out the responsibilities of the Business Associate.
- disclose PHI for the proper management and administration of the Business Associate or to carry out its legal responsibilities, provided that disclosures are Required by Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
- use PHI to provide Data Aggregation services to the Covered Entity as permitted by 45 C.F.R. §164.504(e)(2)(i)(B).
- use PHI to report violations of law to appropriate federal and state authorities, consistent with 45 C.F.R. §164.502(j)(1).
- disclose PHI to other Business Associates of Covered Entity as directed by Covered Entity.
- Obligations of Covered Entity. Covered Entity shall (i) not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy Rule if done by Covered Entity; (ii) be compliant with all applicable laws and regulations pertaining to PHI Covered Entity sends, or directs to be sent, to Business Associate; (iii) not provide access to the PHI to any employee, agent or other designee (including not using or disclosing the PHI for any employment-related action or decision) unless allowable under HIPAA and HITECH; (iv) use PHI for the limited purpose of satisfying its fiduciary obligation with respect to its administration of the group benefit plan; and (v) as necessary, amend its group plan documents as a condition to disclosure of PHI.
Also, Covered Entity agrees to provide Business Associate with:
- the prompt notice of privacy practices that Covered Entity produces in accordance with 45 CFR 164.520, as well as any material changes to such notice. If there are any provisions in such notice that may limit Business Associate's use or disclosure of PHI beyond the restrictions set forth in this BAA, Business Associate will only be required to comply with such different or additional restrictions upon specific written agreement to do so.
- prompt notice of any changes in, or revocation of, permission by an Individual to use or disclose PHI, if such changes affect Business Associate's permitted or required uses and disclosures; and
- prompt notice of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR 164.522 if such restrictions affect Business Associate's permitted or required uses and disclosures.
- Termination: Upon termination of the Underlying Agreement. Business Associate shall return or destroy all PHI received from Covered Entity or created or received by Business Associate on behalf of Covered Entity. This provision shall apply to PHI that is in the possession of subcontractors or agents of Business Associate. Business Associate shall retain no copies of the PHI. Notwithstanding the foregoing, in the event that Business Associate determines that returning or destroying the PHI is infeasible, Business Associate shall be entitled to retain such PHI, provided that Business Associate shall extend the protections of this BAA to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI. The Parties intend that the provisions of section 6(c)(2) shall survive termination of this BAA.
- Termination for Cause. Upon a material breach of this BAA, Covered Entity shall provide an opportunity for Business Associate to cure the breach or end the violation in accordance with the Underlying Agreement. The Covered Entity will have the right to terminate this BAA and the Underlying Agreement if Business Associate does not cure the breach or end the violation in accordance with the timeframes set forth in the Underlying Agreement.
- Mutual Representations and Warranties of the Parties. Each Party represents and warrants to the other Party that it is duly organized, validly existing, and in good standing under the laws of the jurisdiction in which it is organized, it has the full power to enter into this BAA and to perform its obligations, it is compliant with all laws and regulations regarding the receipt and/or disclosure of PHI, and that the performance by it of its obligations under this BAA have been duly authorized by all necessary corporate or other actions and will not violate any provision of any license, corporate charter, or bylaws; and that neither the execution of this BAA, nor its performance hereunder, will directly or indirectly violate or interfere with the terms of another agreement to which it is a party, or give any governmental entity the right to suspend, terminate, or modify any of its governmental authorities or assets required for its performance hereunder.
- Indemnification. The Parties agree to indemnify, defense and hold harmless each other and each other’s respective employees, directors, officers, subcontractors, agent or other members of its workforce, each of the foregoing hereinafter referred to as “indemnified party,” against all actual and direct losses suffered by the indemnified party and all liability to third parties arising from or in connection with any breach by the indemnifying party or its employees, directors, officers, subcontractors, agents or other members of its workforce of this BAA or of any warranty hereunder or from any negligence or wrongful acts or omissions, including failure to perform its obligations under the Privacy and Security Rules. Accordingly, on demand, the indemnifying party shall reimburse the indemnified party for any and all actual and direct losses, liabilities, fines, penalties, costs or expenses (including reasonable attorneys’ fees) which may for any reason be imposed upon any indemnified party by reason of a suit, claim, action, proceeding, regulatory or administrative investigations or fines, or demand by any third party which results from the indemnifying party’s breach hereunder. The Parties’ obligation to indemnify any indemnified party shall survive the expiration or termination of this BAA.
- Amendment and Modification. No part of this BAA may be amended, modified, supplemented in any manner whatsoever except by a written document signed by the Parties' authorized representatives. The Parties agree to take action to amend this BAA from time to time as necessary for Covered Entity to comply with the requirements of the Privacy Rule, Security Rule and the Health Insurance Portability and Accountability Act of 1996. This BAA can also be modified in accordance with the Amendment provision in the Underlying Agreement.
- No Third-Party Beneficiaries. Nothing express or implied in this BAA is intended to confer, nor shall anything herein confer, upon any person other than the Parties and the respective successors or assigns of the Parties, any rights, remedies, obligations, or liabilities whatsoever.
- Effect on Underlying Agreement. Except as relates to the use, security and disclosure of PHI and electronic transactions, this BAA is not intended to change the terms and conditions of, or the rights and obligations of the Parties under, the Underlying Agreement.
- Interpretation. A reference in this BAA to a section in the Privacy Rule or Security Rule means the section as amended from time to time. Any ambiguity in this BAA shall be resolved in favor of a meaning that permits Covered Entity and Business Associate to comply with the HIPAA Privacy Rule and the Security Rule.
- Execution in Counterparts. This BAA may be executed in counterparts, each of which shall be deemed an original, but all of which together shall be deemed to be one and the same agreement. A signed copy of this BAA delivered via e-mail (in pdf format) or other means of electronic transmission shall be deemed to have the same legal effect as delivery of an original signed copy of this BAA.
- General. The terms and provisions of this BAA shall be governed and construed in accordance with the internal laws of the State of Indiana.
- Authority. The individual(s) signing this BAA on behalf of Business Associate and Covered Entity are duly authorized representatives of the respective parties with full power and authority to execute this BAA.
IN WITNESS WHEREOF, the parties hereto have caused this Business Associate Agreement to be executed on the date written above.
Group Health Plan/Covered Entity
By: Steve Caldwell
Title: VP of Data, Infrastructure, and Security