This Business Associate Agreement (“BAA”) is made as of ____________________ by and between ____________________ (on behalf of itself and its affiliates) (“Covered Entity”) and Health Platforms Group, Inc. and its subsidiaries (dba Doctor.com) (“Business Associate”).
- Covered Entity and Business Associate are, or may become in the future, parties to various agreements, under which Business Associate provides a description of the products and/or services it is providing to Covered Entity (“Agreement(s)”).
- In connection with carrying out its obligations under such Agreement(s), Business Associate may receive from, or create, maintain or transmit on behalf of, Covered Entity Protected Health Information (as defined in 45 C.F.R. §160.103) (“PHI”) and other personally identifiable information for purposes, functions, activities, and services that are similar among such Agreement(s); and
- The parties are entering into this BAA to set forth certain standards for the protection of Covered Entity’s PHI and other personally identifiable information in compliance with applicable legal requirements, including but not limited to the HITECH Act and Omnibus Rule (each as defined below).
- In consideration of the mutual promises and covenants contained herein and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the parties agree to the terms contained herein.
- Definitions and Regulatory References.
Capitalized terms used in this BAA without definition shall have the meanings given to them in 45 C.F.R. parts 160 and 164, Subparts A and E (“Privacy Rule”) and Subpart C (“Security Rule”), Subtitle D of the Health Information Technology for Economic and Clinical Health Act (as incorporated in Title XIII of the American Recovery and Reinvestment Act of 2009) (“HITECH Act”), and any related amendments or implementing regulations, including but not limited to the Final Rule to Modify the Privacy Rule and Security Rule issued by the Department of Health and Human Services on January 25, 2013, and effective as of March 26, 2013, (“Omnibus Rule”). Any reference herein to the Privacy Rule, Security Rule, the HITECH Act or other federal or state regulation shall be a reference to such rule or regulation as in effect or as subsequently updated, amended or modified.
- Business Associate Obligations. Business Associate hereby agrees to:
- Use and disclose PHI only as Required By Law or as necessary to perform the functions, activities or services for, or on behalf of, Covered Entity that are set forth in such Agreement(s), but only to the extent the use or disclosure (i) is not inconsistent with use and disclosure permitted under the applicable Agreement(s); (ii) would not violate the Privacy Rule if done by Covered Entity or (iii) violate the minimum necessary policies and procedures of Covered Entity that are communicated to Business Associate;
- Use all reasonable and appropriate safeguards, and comply with the Security Rule with respect to Electronic PHI, to protect PHI and prevent unauthorized use or disclosure of PHI;
- (i) Immediately report to Covered Entity, in writing and by calling the Covered Entity’s designated contact person, any use or disclosure of PHI that is not provided for herein, including any Breach of Unsecured PHI as required by 45 C.F.R. §164.410 but in no event later than five days after Business Associate’s discovery of such Breach (as discovery is described in 45 C.F.R. §164.410), and any Security Incident of which Business Associate becomes aware and (ii) use reasonable efforts to mitigate any harmful effects resulting from such unauthorized use or disclosure or Security Incident;
- If the underlying Agreement(s) have acknowledged and authorized Business Associate to use a subcontractor or agent to provide services under such Agreement(s) and/or if any subcontractor or agent of Business Associate creates, receives, maintains, or has access to PHI, ensure that such subcontractor or agent (i) contractually agrees with Business Associate to substantially similar restrictions, conditions, and requirements that apply to Business Associate with respect to such information and further identifies Covered Entity as a third party beneficiary under such contract with rights of enforcement and indemnification from such subcontractor or agent in the event of any violations and (ii) agrees to implement and enforce reasonable and appropriate safeguards to protect Electronic PHI;
- To the extent applicable, provide access to PHI in a Designated Record Set in accordance with 45 C.F.R. §164.524 and in the time and manner reasonably requested by Covered Entity;
- To the extent applicable, amend PHI in a Designated Record Set in accordance with 45 C.F.R. §164.526 and in the time and manner reasonably requested by Covered Entity;
- Document disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to an Individual’s request for an accounting of such disclosures in accordance with 45 C.F.R. §164.528, and provide such information in the time and manner reasonably requested by Covered Entity;
- To the extent that Business Associate carries out one or more of Covered Entity’s obligations under Subpart E of 45 C.F.R. Part 164, comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of such obligations;
- Make its internal practices, books, and records, including policies and procedures, relating to (i) the use and disclosure of PHI, (ii) the use and disclosure of EPHI or Administrative, Physical and Technical Safeguards, or (iii) such Agreement(s), available upon request to Covered Entity or the Secretary of Health and Human Services (“HHS”), or any officer or employee of HHS to whom the Secretary has delegated such authority, for purposes of the Secretary determining compliance with the Privacy, Security and Omnibus Rules and related regulations; and
- Comply with any reasonable restrictions on the use or disclosure of PHI that Covered Entity communicates to Business Associate in writing.
- Disclosures Required By Law.
Except to the extent prohibited by law, Business Associate shall immediately notify Covered Entity, in writing and by calling the Covered Entity’s designated contact person, if Business Associate receives a request for disclosure of PHI with which Business Associate believes it is Required By Law to comply. Prior to releasing PHI in response to such request, Business Associate shall provide Covered Entity with a copy of such request and consult and cooperate with Covered Entity concerning the proper response to the request. Business Associate shall provide Covered Entity with a copy of any information disclosed pursuant to such request.
- Amendment to Comply with Law.
The parties acknowledge that state and federal laws relating to data security and privacy are rapidly evolving. In the event that additional standards are promulgated under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the HITECH Act and/or other applicable laws relating to the security or confidentiality of PHI and other personally identifiable information, or any existing standards are amended, including without limitation the Privacy, Security and Omnibus Rules, the parties agree to promptly amend this BAA and the Agreement(s) as necessary to comply with applicable legal requirements. Covered Entity may terminate any such Agreement(s) pertaining to this BAA upon written notice to Business Associate in the event Business Associate does not enter into an amendment that Covered Entity, in its sole discretion, deems sufficient to satisfy applicable legal standards and requirements.
- Term and Termination. This BAA shall be effective as of the effective date of the Agreement and shall terminate upon the expiration or termination of the Agreement. Upon Covered Entity’s determination that Business Associate has violated a material term of this BAA pertaining to any such Agreement(s), Covered Entity may either (i) terminate without penalty such Agreement(s) if Business Associate has not cured the breach or ended the violation within five days of its discovery by Business Associate or within the time period otherwise specified by Covered Entity or (ii) immediately terminate without penalty such Agreement(s) if Covered Entity determines that cure of such breach or violation is not possible. Upon any expiration or termination of any such Agreement(s) pertaining to this BAA, Business Associate shall return or destroy, as instructed by Covered Entity, all PHI and personally identifiable information, including Personal Information (as defined in 201 CMR 17.02), that Business Associate still maintains in any form. Business Associate shall not retain any copies of such PHI. To the extent that Covered Entity determines that it is not feasible for Business Associate to return or destroy such PHI, Business Associate may retain such information, provided that (i) Business Associate’s privacy and security obligations shall survive any expiration or termination of such Agreement(s) and this BAA and (ii) such information shall be used or disclosed solely for such purpose(s) that made its return or destruction infeasible. Any PHI so retained shall be returned or destroyed, as instructed by Covered Entity, as soon as its return or destruction becomes feasible.
- Survival. The parties agree that Business Associate’s obligations under this BAA and the sections of any such Agreement(s) relating to privacy, security, and confidentiality will survive any expiration or termination of such Agreement(s).
- Remedies for Breach. Business Associate agrees that Covered Entity is subject to irreparable damage upon Business Associate’s breach of its privacy and security obligations, such damages shall be difficult to quantify, and Covered Entity therefore may file an action for an injunction to enforce these privacy and security obligations against Business Associate, in addition to any other available remedies. Any liabilities arising as a result of Business Associate’s breach of its obligations hereunder are expressly excluded from any limitation or exclusion of damages provisions set forth in such Agreement(s).
- Interpretation. Any ambiguity in this BAA or the Agreements shall be resolved to permit the parties to comply with the Privacy and Security Rules, the HITECH Act and the Omnibus Rule, and all other applicable federal, state and local laws, rules and regulations. In the event a provision of this BAA conflicts with a provision in the Agreements, the BAA shall control.
- Third Party Rights. The parties further agree that nothing in this BAA shall confer upon any person other than the parties and/or Covered Entity’s agents or affiliates any rights, remedies, obligations, or liabilities whatsoever.
- No Agency. This BAA creates no agency relationship or vicarious relationship between Covered Entity and Business Associate, and Business Associate is not an employee, agent, servant or representative of Covered Entity. Business Associate is not under the direction, control or supervision of Covered Entity. Business Associate is solely responsible for all its decisions and actions regarding its compliance with this BAA and the safeguarding of PHI.
- Assignment. Neither Party has the authority to reassign this agreement without the other’s written consent. Notwithstanding the foregoing, either party may, assign this Agreement, in whole or in part, to any entity resulting from the sale, combination or transfer of all or substantially all of the assets or capital stock, or from any other form of corporate reorganization by or of the party in which case this Agreement shall be binding upon, and shall inure to the benefit of the parties hereto, their respective successors and permitted assigns
- Amendment. Modifications to this BAA pertaining to any such Agreement(s) must be made in writing and signed by both parties.