BUSINESS ASSOCIATE AGREEMENT
THIS BUSINESS ASSOCIATE AGREEMENT (this “Agreement”), made and entered into as of the last date executed below (the “Effective Date”), by and between The SottoPelle LLC d/b/a Dosaggio whose principal place of business is located at 8412 E Shea Blvd, Suite 101, Scottsdale, Az 85260 (“Business Associate”) and the provider or medical practice (“Covered Entity”) (Business Associate and Covered Entity are each a “Party” and collectively the “Parties”).
RECITALS
A. Due to Covered Entity’s use of Business Associate’s dosing website, Business Associate provides services for Covered Entity that may involve the creation, receipt, maintenance, or transmission of PHI (as defined below) for or on behalf of Covered Entity for a function or activity regulated by 45 C.F.R. Part 160 Subpart A (collectively, the “Services”).
B. Covered Entity is a “covered entity” subject to the Health Insurance Portability and Accountability Act of 1996, as amended (“HIPAA”); the Health Information Technology for Economic and Clinical Health Act, as amended (“HITECH”); and the Standards for Privacy of Individually Identifiable Health Information, the Security Standards for Health Insurance Reform, and the Breach Notification Rule (collectively, the “HIPAA Rules”).
C. Due to the services, functions, and/or activities that Business Associate provides or performs for or on behalf of Covered Entity, HIPAA requires the Parties to enter into an agreement to set forth the conditions that shall govern Business Associate’s Use and Disclosure of PHI.
NOW, THEREFORE, in consideration of the mutual agreements set forth herein, the Parties hereto agree as follows:
1. Definitions. Except as otherwise defined herein, any and all capitalized terms used in this Agreement shall have the meanings set forth in the HIPAA Rules.
(a) “PHI” means Protected Health Information as that term is defined in the HIPAA Rules, limited to such information created, received, maintained, or transmitted by Business Associate for or on behalf of Covered Entity in order to provide the Services.
(b) “ePHI” means PHI, limited to such information created, received, maintained, or transmitted in Electronic Media by Business Associate for or on behalf of Covered Entity in order to provide the Services.
2. Obligations of Business Associate.
(a) Permitted Use and Disclosure of PHI. Business Associate shall Use and Disclose PHI as necessary to perform its obligations under this Agreement and provide the Services, as authorized by Covered Entity, and as otherwise permitted or Required by Law. Without limiting the generality of the foregoing, Business Associate may: (i) Use PHI for its proper management and administration and to carry out its legal responsibilities; (ii) Disclose PHI to a third party for Business Associate’s proper management and administration and to carry out its legal responsibilities, provided that the Disclosure is Required by Law or Business Associate obtains reasonable assurances from the third party regarding the confidential handling of such PHI; (iii) Use PHI to aggregate data as set forth in the HIPAA Rules; and (iv) de-identify PHI in accordance with the de-identification requirements set forth in the HIPAA Rules.
(b) Minimum Necessary. Business Associate shall make reasonable efforts to request from Covered Entity, and Use and Disclose, only the minimum necessary to accomplish the intended purpose of the request, Use, or Disclosure. The Parties agree that the PHI requested via the dosing website is the minimum necessary to provide the Services.
(c) Safeguards. Business Associate shall: (i) use reasonable and appropriate safeguards that are designed to protect the Confidentiality, Integrity, and Availability of PHI; and (ii) comply, where applicable, with Subpart C of 45 C.F.R. Part 164 with respect to ePHI to prevent Use or Disclosure of PHI other than as provided for by this Agreement.
(d) Access and Amendment of PHI. To the extent Business Associate maintains PHI in a Designated Record Set on behalf of Covered Entity that is not duplicative of any PHI in the possession of Covered Entity, Business Associate shall, upon Covered Entity’s written request, for so long as Business Associate maintains such information in a Designated Record Set on behalf of Covered Entity, timely make available to Covered Entity such PHI: (i) as required by 45 C.F.R. § 164.524 for so long as Business Associate maintains such information in a Designated Record Set on behalf of Covered Entity and (ii) for amendment and incorporate any such amendment as directed to by Covered Entity pursuant to 45 C.F.R. § 164.526. If Business Associate receives a request for access to PHI or amendment of PHI directly from an Individual, Business Associate will timely forward such request to Covered Entity.
(e) Accounting of Disclosures. To the extent no Disclosure exceptions apply under 45 C.F.R. § 164.528, Business Associate shall maintain and make available to Covered Entity, upon Covered Entity’s written request, the information that would be required for Covered Entity to respond to an Individual’s request for an accounting of Disclosures of PHI in accordance with 45 C.F.R. § 164.528. In the event an Individual delivers directly to Business Associate a request for an accounting of Disclosures, Business Associate shall timely forward such request to Covered Entity.
(f) Reporting. Business Associate shall timely report to Covered Entity any: (i) Use or Disclosure of PHI not provided for by this Agreement which it discovers; and (ii) any Security Incident involving PHI of which it becomes aware. Following the discovery of a Breach of Unsecured PHI, Business Associate’s notice to Covered Entity shall include, to the extent known and possible: (1) a brief description of the Breach; (2) the types of Unsecured PHI involved; and (3) the steps taken by Business Associate to investigate the Breach. Upon Covered Entity’s request, Business Associate shall reasonably cooperate with Covered Entity’s investigation of such event caused in whole or in part by Business Associate. Such cooperation shall not be construed in any way to waive any privilege held by or for Business Associate or require disclosure of any of Business Associate’s confidential or privileged information. The Parties agree that this Section constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below) for which no additional notice to Covered Entity shall be required. “Unsuccessful Security Incidents” include but are not limited to pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denials of service, and any combination of the above, so long as no such incident results in the unauthorized access, Use, Disclosure, modification, or destruction of PHI.
(g) Mitigation. Business Associate shall mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a Use or Disclosure of PHI by Business Associate in violation of Business Associate’s policies and procedures or the requirements of the HIPAA Privacy Rule.
(h) Agents and Subcontractors. Business Associate shall require that Subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to the restrictions and conditions that apply to Business Associate under the HIPAA Rules with respect to such information.
(i) Delegated Functions. The Parties agree that Business Associate has not been delegated any of Covered Entity’s obligations under Subpart E of 45 C.F.R. Part 164.
(j) Availability of Books and Records. Business Associate shall make its internal practices, books, and records relating to the Use and/or Disclosure of PHI received from, or created or received by Business Associate on behalf of Covered Entity available to the Secretary of the U.S. Department of Health and Human Services (“HHS”) or his or her designees for purposes of determining Covered Entity’s compliance with the HIPAA Rules.
3. Obligations of Covered Entity.
(a) To the extent such limitation(s), change(s), or restriction(s) may affect Business Associate’s Use, Disclosure, or Access to PHI, Covered Entity shall notify Business Associate of any: (i) limitation(s) in Covered Entity’s notice of privacy practices pursuant to HIPAA, including without limitation, 45 C.F.R. § 164.520; (ii) changes in, or revocation of, the permission by an Individual to Use or Disclose his or her PHI; and (iii) restriction(s) on the Use or Disclosure of PHI that Covered Entity has agreed to or is required to abide by pursuant to HIPAA, including without limitation, 45 C.F.R. § 164.522. Any such limitation(s), change(s), or restriction(s) set forth in this Section shall not apply to Uses or Disclosures of PHI made prior to Business Associate’s receipt of Covered Entity’s written notification of such limitation(s), change(s), or restriction(s). The Parties agree that such limitation(s), change(s), or restriction(s) may limit Business Associate’s ability to receive Services.
(b) Except with regard to data aggregation and management and administration and legal responsibilities of Business Associate, Covered Entity shall not request Business Associate to Use or Disclose PHI in any manner that would not be permissible under HIPAA, HITECH, or the HIPAA Rules if done by Covered Entity.
4. Term and Termination.
(a) Term. This Agreement shall become effective on the Effective Date and shall remain in effect for the duration of the relationship, functions, and/or services giving rise to a business associate relationship between the Parties.
(b) Termination for Breach. This Agreement may be terminated by either Party in the event that the other Party breaches a material provision of this Agreement and the breach is not cured within thirty (30) days after receipt of the non-breaching Party’s written notice of such breach that sets forth all the specific facts necessary for the breaching Party to evaluate and cure such alleged breach.
(c) Automatic Termination. This Agreement will automatically terminate without any further action of the Parties upon the termination or expiration of the Service Agreement(s) that involves Business Associate’s creation, receipt, maintenance, or transmittal of PHI for or on behalf of Covered Entity.
(d) Effect of Termination. Upon the termination of this Agreement, Business Associate shall retain only that PHI which is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities and shall return to Covered Entity or destroy, if feasible, the remaining PHI that Business Associate still maintains. If return or destruction is not feasible, Business Associate shall limit further Uses and Disclosures of such PHI to those purposes that make the return or destruction of such PHI infeasible.
5. Miscellaneous.
(a) Amendments; Waiver. This Agreement may not be modified, nor shall any provision hereof be waived or amended except in a writing duly signed by authorized representatives of the Parties. A waiver with respect to one event shall not be construed as continuing, or as a bar to or waiver of any right or remedy as to subsequent events. The Parties agree this Agreement may be stored electronically and may be executed in counterparts, each of which will be deemed an original, and all of which constitute one and the same instrument.
(b) Severability. If this Agreement shall contain any provision which shall be judged by any court of competent jurisdiction to be invalid, void, illegal, or unenforceable, the remainder of this Agreement shall not be affected thereby and each and every provision otherwise valid, legal, and enforceable shall remain so and be enforceable to the fullest extent permitted by law.
(c) Entire Agreement. This Agreement constitutes the entire agreement between the Parties regarding the subject matter herein and any prior understanding or representation of any kind preceding the date of this Agreement shall not be binding on either party except to the extent incorporated in this Agreement.
(d) Notice. Any notices to be given hereunder to a Party shall be made via U.S. Mail or express courier to such Party’s address indicated above. Initial notices and communication may be made by electronic mail so long as a written follow-up is sent by mail. Each Party may change its address for notice by giving notice in the manner herein provided.
(e) Regulatory Terms. A reference in this Agreement to a section in the HIPAA Rules means the section as in effect or as amended.
(f) Section Headings. The section headings used in this Agreement are for purposes of convenience or reference only. They shall not be used to explain, limit, or extend the meaning of any part of this Agreement.
(g) Disputes. If any controversy, dispute, or claim arises between the Parties with respect to this Agreement, the Parties shall make good faith efforts to resolve such matters informally.
(h) Application. Business Associate shall be bound by the terms of this Agreement only to the extent that: (i) Covered Entity is a “covered entity” pursuant to HIPAA; and (ii) Business Associate is acting as Covered Entity’s “business associate” by creating, receiving, maintaining, or transmitting PHI for or on behalf of Covered Entity in order to provide services to Covered Entity that are the type of services for which HHS has adopted a standard pursuant to HIPAA.
(i) Construction of Terms. Any ambiguity in this Agreement shall be interpreted to permit compliance with HIPAA, HITECH, and the HIPAA Rules. All references in this Agreement to any law or regulation are to the provision currently in effect and as subsequently updated, amended, or revised.
(j) Governing Law. This Agreement and the rights and obligations of the Parties hereunder shall be construed, interpreted, and enforced in accordance with, and governed by, the laws of the United States and the laws of the State of Arizona.
(k) No Third-Party Beneficiaries. Nothing in this Agreement shall confer upon any person or entity other than the Parties any rights, remedies, obligations, or liabilities whatsoever.
IN WITNESS WHEREOF, the undersigned have executed this Agreement as of the Effective Date.
Business Associate:
By: SottoPelle Inc.
Name: CarolAnn Tutera
Title: Mgr
