Business Associate AgreementDownload as PDF
This Business Associate Agreement (the “Agreement”) shall apply to the extent that the MaxMD Customer signee is a “Covered Entity” or "HIPAA Business Associate," as defined below. Execution of the Agreement does not automatically qualify either party as a “Covered Entity” or “HIPAA Business Associate” under law or regulation unless that party is considered a “Covered Entity” or “HIPAA Business Associate” under the applicable laws or regulations. This Agreement defines the rights and responsibilities of each of us with respect to Protected Health Information as defined in the Health Insurance Portability and Accountability Act of 1996, the Health Information Technology for Economic and Clinical Health (HITECH) provisions of the American Recovery and Reinvestment Act of 2009, the Omnibus Final Rule (as applied to 45 CFR Parts 160 and 164) and the regulations promulgated thereunder, as each may be amended from time to time (collectively, “HIPAA”). This Agreement shall be applicable only in the event and to the extent MaxMD meets, with respect to you, the definition of a HIPAA Business Associate set forth at 45 C.F.R. Section §160.103, or applicable successor provisions
Whereas MaxMD provides certain services; including facilitating the transmission of data over Direct mdEmail®, and other electronic means in a way to ensure that such data during transmission and storage is encrypted against unauthorized disclosure under HIPAA (defined below).
Whereas the MaxMD customer, may, from time to time, perform activity that brings the MaxMD customer within the definition of a “Covered Entity” or a “HIPAA Business Associate” under HIPAA (as defined below). As a user of MaxMD’s products or services, the MaxMD customer may from time to time disclose to MaxMD certain Personal Health Information (as defined below) as part of MaxMD’s performance of its services to the MaxMD customer. MaxMD’s receipt and use of such information under its service contracts with the MaxMD customer may cause MaxMD to become a Business Associate as defined by HIPAA.
The following terms shall have the meanings set forth in this Article 1:
″Agreement″ means this BA Agreement, any Customer Contract, and any other agreement, addendum, exhibit, schedule, policies and procedures, work order or other arrangement between you and MaxMD. References to ″this Agreement″ herein shall be deemed to be a reference to all Agreements between you and MaxMD.
″BA Agreement″ means this Business Associate Agreement.
″Business Associate″ means MaxMD, Incorporated (″MaxMD″).
″Covered Entity″ means you or any of your subsidiaries or affiliates covered by this Agreement which is any of (1) a health plan, (2) a health care clearinghouses, or (3) a health care provider and which electronically transmits any health information in connection with transactions for which the U.S. Department of Health and Human Services has adopted standards.
″Customer Contract″ shall mean any agreement, letter, document or other writing describing the provision of products or services by MaxMD to you.
″CFR″ shall mean the Code of Federal Regulations.
″Disclosure″ of PHI means the release, transfer, provision of, access to, or divulging in any other manner, of PHI outside the entity holding the information per 45 CFR 160.103.
″Electronic Protected Health Information″ or ″ePHI″ shall have the same meaning given to the term ″electronic protected health information″ in 45 CFR 160.103, limited in this Agreement to the PHI created or received by Business Associate from or on behalf of Covered Entity which is transmitted or maintained in electronic media. In addition, solely for purposes of Business Associate′s privacy and security obligations under this Agreement, ePHI shall be limited to and include only the following types of electronic information supplied or transmitted under this Agreement:
1. Sent E-mail. ePHI includes ″Sent E-mail.″ Sent E-Mail under this Agreement means the ″content″ (described below) of email messages sent by Covered Entity from Business Associate's e-mail or user-authenticated SMTP services. Sent E-mail does not include email messages ″sent″ as a result of inbound email processing rules, such as email forwards, email notices, or other processing rules. The ″content″ of Sent E-mail means the content of all email messages sent by Covered Entity under this Agreement; provided, however, that the following e-mail fields and the words, symbols, numbers and images associated with such fields shall not be considered or deemed to be ″content″ of Sent E-mail and shall not be deemed to be ePHI herein: (i) the subject field, (ii) sender address, (iii) recipient addresses, and (iv) other email header metadata.
2. Received Internal or Encrypted Email. ePHI includes the ″content″ (described below) of all protected messages. ″Protected Messages″ are e-mails transmitted from a sender′s e-mail server (i) over a TLS-encrypted SMTP connection, or (ii) which are PGP-encrypted, or (iii) which are S/MIME-encrypted, or (iv) such other encryption methodology recognized by or acceptable under HIPAA. Notices to pickup Protected Messages on a web site are not Protected Messages or otherwise ePHI. The ″content″ of Protected Messages does not include the following e-mail fields and the words, symbols, numbers and images associated with such fields: (i) the subject field, (ii) sender address, (iii) recipient addresses, and (iv) other email header metadata.
3. Databases. ePHI includes the content of any MySQL databases that the you may be using for web hosting, even if you have not PGP-encrypted or provided for such encryption of the ePHI in such database.
4. File Storage. ePHI includes files stored on your web hosting/FTP file space (″Hosted Space″), including but not limited to (i) all files stored in your Hosted Space on servers that are dedicated to you, and (ii) PGP- or SSL-encrypted files stored in your Hosted Space on servers that you share with other persons or entities.
″HIPAA″ means, collectively, the Health Insurance Portability and Accountability Act of 1996, HITECH, and the regulations promulgated thereunder, as each may be amended from time to time.
″HITECH″ means the Health Information Technology for Economic and Clinical Health provisions of the American Recovery and Reinvestment Act of 2009.
″Individual″; shall have the same meaning as the term ″individual″ in 45 CFR 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 CFR 164.502(g).
″Privacy Rule″ means the Standards for Privacy of Individually Identifiable Health Information at 45 CFR Part 160 and Part 164, Subparts A and E.
″Protected Health Information″ or ″PHI″ has the same meaning as the term ″protected health information″ in 45 CFR 160.103, limited in this Agreement to the information created or received by Business Associate from or on behalf of Covered Entity.
″Required by Law″ has the same meaning as the term ″required by law″ in 45 CFR 164.103.
″Secretary″ means the Secretary of the Department of Health and Human Services or his designee.
″Security Incident″ means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system as provided in 45 CFR Part 164.304.
″Security Rule″ means those requirements of 45 CFR Part 164.308, 164.310, 164.312, 164.314, and 164.316
″Unsecured PHI″ has the same definition that the Secretary gives the term in guidance issued by Section 13402 of HITECH.
″Use of PHI″ means the sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information per 45 CFR 160.103.
Capitalized terms not otherwise defined in this Agreement shall have the same meaning as those terms in the Privacy Rule, Security Rule or HIPAA.
Obligations and Activities of Business Associate
A. Business Associate agrees not to Use or to Disclose PHI other than as permitted or required by this BA Agreement or as permitted or Required by Law.
B. Business Associate agrees to use appropriate safeguards to prevent Use or Disclosure of the PHI other than as provided for by this BA Agreement. In particular, Business Associate agrees to comply with the Privacy Rule and Security Rule with respect to all data considered ePHI per the definition of ePHI herein.
C. Business Associate provides many mechanisms by which the Covered Entity can safeguard PHI, which, when properly utilized by Covered Entity, will ensure compliance with the provisions of the Privacy Rule and the Security Rule. Business Associate will, upon request, advise the Covered Entity as to the most appropriate measures Covered Entity should take with regards to Business Associate′s services in order to ensure compliance with the Privacy Rule and the Security Rule. However, Covered Entity agrees and understands that the Covered Entity is independently responsible for HIPAA compliance for the privacy and security of its PHI, including ePHI, in its possession or that it receives from outside sources, including the Business Associate.
D. Business Associate agrees to mitigate, to the extent reasonably practicable, any harmful effect that is known to Business Associate of a Use or Disclosure of PHI by Business Associate or its agents or subcontractors in violation of the requirements of this BA Agreement.
E. Business Associate agrees to report to Covered Entity any Use or Disclosure of PHI not provided for by this BA Agreement of which it becomes aware. Such notice will be made within 20 days of the discovery of such Disclosure.
F. Business Associate agrees to ensure that any agent, including a subcontractor, to whom it provides PHI received from, or created or received by Business Associate on behalf of Covered Entity, agrees to the same restrictions and conditions that apply through this BA Agreement to Business Associate with respect to such information.
G. All PHI maintained by Business Associate for Covered Entity will be available to Covered Entity in a time and manner that reasonably allows Covered Entity to comply with the requirements under 45 CFR § 164.524. Business Associate shall not be obligated to provide any such information directly to any Individual or person other than Covered Entity.
H. All PHI and other information maintained by Business Associate for Covered Entity will be available to Covered Entity in a time and manner that reasonably allows you to comply with the requirements under 45 CFR § 164.526.
I. Business Associate agrees to document such Disclosures of PHI and information related to such Disclosures for accounting purposes under 45 CFR 164.528, but only to the extent that (i) Business Associate is actually aware of Disclosures and (ii) such Disclosures are of the type of disclosures subject to documentation for accounting under 45 CFR 164.528. This provision covers the actions of Business Associate with respect to its explicit Disclosure of PHI, and Covered Entity acknowledges that this provision does not cover Disclosures that may result from Covered Entity′s inappropriate security settings or Covered Entity′s inappropriate usage of Business Associate's services.
J. Covered Entity or an Individual may request that Business Associate make an amendment to PHI which is (i) stored on the Business Associate′s servers and (ii) partitioned in accounts owned by or contracted to Covered Entity. Business Associate and Covered Entity must agree to the form of amendment and amendment implementation timeline prior to Business Associate′s making any amendment to such PHI.
K. Business Associate agrees to make its internal practices, books and records, including policies and procedures relating to the Use and Disclosure of PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, available to the Secretary within 30 days of a verified request, for purposes of the Secretary′s determining Covered Entity or Business Associate's compliance with the Privacy or Security Rules.
L. During the term of this BA Agreement, Business Associate shall notify Covered Entity within three (3) days of any actual Security Incident or breach of security, intrusion or unauthorized Use or Disclosure of PHI or ePHI and/or any actual Use or Disclosure of data in violation of HIPAA, or any legal action against Business Associate arising from an alleged HIPAA violation. Business Associate shall (i) take prompt action to correct any such deficiencies which are within the Business Associate′s actual control to cure and (ii) take such action pertaining to such unauthorized disclosure as may be required by HIPAA. Upon receipt of such notice of breach or Security Incident, Covered Entity shall be solely obligated to investigate and make such notice of breach to such persons, governmental agencies and prominent media outlets as required by HIPAA.
Permitted Uses and Disclosures by Business Associate
Except as otherwise limited in this Agreement or other portion of the Agreement:
A. Business Associate may use or disclose PHI to perform functions, activities or services for, or on behalf of, Covered Entity provided that such use or disclosure would not violate the Privacy Rule or Security Rule if done by Covered Entity.
B. Business Associate may Use and Disclose PHI for the proper management and administration of Business Associate and to carry out the legal responsibilities of Business Associate.
C. Business Associate may use PHI to report violations of law to appropriate federal and state authorities consistent with 45 CFR §164.502(j)(1).
Obligations of Covered Entity
A. Covered Entity is obliged to utilize Business Associate′s services in a way that ensures that Covered Entity is in compliance with HIPAA. As such, it is the sole obligation of Covered Entity to use appropriate methods and services to ensure compliance with the Privacy Rule and Security Rule for its PHI that is Disclosed to Business Associate in this Agreement or that otherwise travels through or is stored by any service or product offered by Business Associate under this Agreement.
B. Covered Entity shall notify Business Associate of any limitation(s) in its notice of privacy practices of Covered Entity in accordance with 45 CFR 164.520 to the extent that such limitation may affect Business Associate's Use or Disclosure of PHI.
C. Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by Individual to Use or Disclose PHI to the extent that such changes may affect Business Associate's Use or Disclosure of PHI.
D. Covered Entity shall notify Business Associate of any restriction to the Use or Disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR 164.522 and HITECH § 13405(a) to the extent that such restriction may affect Business Associate's Use or Disclosure of PHI.
E. Covered Entity shall not request Business Associate to Use or Disclose PHI in any manner that would not be permissible under HIPAA if done by Covered Entity.
F. Covered Entity agrees not to use Business Associate's services for the transmission or storage of ePHI except for the classes and types of ePHI meeting the definition of ePHI in Section 1 of this BA Agreement.
G. Covered Entity agrees to indemnify and hold harmless Business Associate, its directors, officers, shareholders, parents, subsidiaries, affiliates, and agents, from and against all losses, expenses, damages and costs, including reasonable attorneys' fees, resulting from Covered Entity′s failure to fulfill its obligations under this Agreement.
Term and Termination
A. Term. This Agreement shall be effective as of the Effective Date and shall terminate when the requirements of Section 5.D. below are satisfied.
B. Termination for Cause by Covered Entity. Upon Covered Entity's knowledge of a material breach of this BA Agreement by Business Associate, Covered Entity shall provide an opportunity for Business Associate to cure the breach. If Business Associate does not cure the breach within 30 days from the date that Covered Entity provides notice of such breach to Business Associate, then, from and after the end of the 30 day cure period, Covered Entity shall have the right to terminate this Agreement by providing 30 days advance written notice of such termination to Business Associate. If neither termination nor cure is feasible, Covered Entity shall report the violation to the Secretary
C. Termination by Business Associate. This Agreement may be terminated by Business Associate upon 30 days prior written notice to Covered Entity in the event that Business Associate believes that the requirements of any law, legislation, consent decree, judicial action, governmental regulation or agency opinion, enacted, issued, or otherwise effective after the date of this Agreement and applicable to PHI or to this Agreement, cannot be met by Business Associate in a commercially reasonable manner and without significant additional expense.
D. Effect of Termination. Except as set forth in this Section 5.D., upon termination of this Agreement for any reason, within 90 days of the request of Covered Entity, Business Associate shall return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity. Business Associate shall not retain any copies of the PHI. In the event that Business Associate determines that returning or destroying the PHI is infeasible, Business Associate shall provide to Covered Entity written notification of the conditions that make return or destruction infeasible. If the return or destruction of PHI is infeasible, Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI.
A. Regulatory References. A reference in this Agreement to a section in HIPAA.
B. Amendment. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for Covered Entity to comply with the requirements of HIPAA and all subsequent laws and regulations bearing on the subject matter of this Agreement.
C. Survival. The respective rights and obligations of Business Associate under Section 5.D. of this Agreement shall survive the termination of this Agreement.
D. Interpretation. Any ambiguity in this Agreement shall be resolved to permit Covered Entity and Business Associate to comply with HIPAA.
E. All notices, requests, consents and other communications hereunder will be in writing, will be addressed to the receiving party's address set forth below or to such other address as a party may designate by notice hereunder, and will be either (i) delivered by hand, (ii) made facsimile transmission, (iii) sent by overnight courier, or (iv) sent by registered mail or certified mail, return receipt requested, postage prepaid.
If to the Covered Entity:
c/o Park Avenue Capital, LLC
2200 Fletcher Avenue 6th Floor
Fort Lee, New Jersey 07024
FAX: (201) 482-5925
If to the Business Associate:
F. Severability. If any portion or provision of this Agreement will to any extent be declared illegal or unenforceable by a duly authorized court having jurisdiction, then the remainder of this Agreement, or the application of such portion or provision in circumstances other than those as to which it is so declared illegal or unenforceable, will not be affected thereby, and each portion and provision of this Agreement will be valid and enforceable to the fullest extent permitted by law.
G. No Waiver of Rights, Powers and Remedies. No failure or delay by a party hereto in exercising any right, power or remedy under this Agreement, and no course of dealing between the parties hereto, will operate as a waiver of any such right, power or remedy of the party. The election of any remedy by a party hereto will not constitute a waiver of the right of such party to pursue other available remedies.
H. Governing Law. This Agreement will be governed by and construed in accordance with the laws of the State of Georgia.
I. Entire Agreement. This Agreement and the terms of the Customer Contracts set forth the entire understanding of the parties with respect to the subject matter set forth herein and supersedes all prior agreements, arrangements and communications, whether oral or written, pertaining to the subject matter hereof.
J. Counterparts. This agreement may be executed by facsimile signature and in any number of counterparts, each of which shall be an original, and all such counterparts shall together constitute but one in the same agreement.