BUSINESS ASSOCIATE AGREEMENT
This BUSINESS ASSOCIATE AGREEMENT (this "BAA"), by and between
EASYRX LLC, a Georgia limited liability company ("Business Associate") and your Business ("Covered Entity") is entered into and made effective as of the date the authorized agent of Business Associate clicks the "Accept" button below (the "Effective Date").
BY CLICKING THE "ACCEPT" BUTTON, COVERED ENTITY ACKNOWLEDGES AND AGREES THAT IT HAS READ ALL OF THE TERMS AND CONDITIONS OF THIS AGREEMENT AND AGREES TO BE BOUND BY ALL TERMS AND CONDITIONS.
The person clicking the ACCEPT button hereby represents to EasyRx, LLC that he or she is at least 18 years old and is competent and fully authorized to enter into this binding agreement on behalf of the Business Associate.
WHEREAS, Covered Entity and Business Associate are parties to an agreement or various agreements whereby Business Associate provides certain services to Covered Entity ("Agreement").
WHEREAS, Business Associate's performance of the Agreement may require Business Associate to create, receive, maintain, or transmit Protected Health Information or financial accounts that are subject to the federal law and regulations with respect to privacy, security, and breach notification under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), including all pertinent regulations issued by the agencies of the United States Department of Health and Human Services (45 C.F.R. Parts 160 and 164), as amended by Subtitle D of the Health Information Technology for Economic and Clinical Health Act (HITECH Act), Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009 (Pub. L. 111-5) (collectively referred to hereinafter as the "HIPAA Standards"); and
WHEREAS, the parties are committed to complying with the HIPAA Standards;
NOW, THEREFORE, in consideration of the mutual promises and obligations set forth herein, and other good and valuable consideration, the receipt and sufficiency of which the parties acknowledge the parties hereby agree as follows:
General. This BAA sets forth the terms and conditions under which Protected Health Information or Electronic Protected Health Information that Business Associate creates, receives, maintains, or transmits on behalf of the Covered Entity will be handled between the Business Associate and the Covered Entity, as well as with third parties during the term of the Agreement and following its termination. In the event of an inconsistency between the terms of the Agreement and the terms of this BAA, the terms of this BAA shall control in regard to the handling of Protected Health Information or Electronic Protected Health Information.
Definitions. When used in this BAA, the following terms have the following meanings:
- "Protected Health Information" or "PHI" has the same meaning as the term "protected health information" in 45 C.F.R. § 160.103, limited to the information created, received, maintained, or transmitted on behalf of Covered Entity.
- "Electronic Protected Health Information" has the same meaning as the term "electronic protected health information" in 45 C.F.R. § 160.103, limited to the information created, received, maintained, or transmitted on behalf of Covered Entity.
- "Unsecured Protected Health Information" or "Unsecured PHI" means Protected Health Information that is not secured through the use of a technology or methodology specified by the Secretary in guidance or as otherwise defined in Section 13402(h) of the HITECH Act.
- "Privacy Rule" means the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. part 160, part 162 and part 164, subparts A and E.
- "Security Rule" means the Security Standards for the Protection of Electronic Protected Health Information at 45 C.F.R. part 160 and part 164, subpart C.
- "Secretary" means the Secretary of the Department of Health and Human Services or his/her designee.
- Terms used, but not otherwise defined, in this BAA shall have the same meaning as those terms in the HIPAA Standards and regulations.
- The term Protected Health Information or PHI shall include both Protected Health Information and Electronic Protected Health Information ("ePHI"); however, ePHI shall be used when only Electronic Protected Health Information is being referenced.
Obligations and Activities of Business Associate.
- Business Associate agrees not to use or disclose Protected Health Information other than as permitted or required by the Agreement (including this BAA) or as Required By Law.
- Business Associate will implement administrative, physical, and technical safeguards set forth in 45 CFR §§ 164.308, 164.310, and 164.312 that reasonably and appropriately protect the confidentiality, integrity, and availability of any Protected Health Information that it creates, receives, maintains or transmits on behalf of Covered Entity, and in accordance with 45 C.F.R. § 164.316, implement and maintain reasonable and appropriate policies and procedures to enable it to comply with the requirements outlined in 45 CFR §§ 164.308, 164.310, and 164.312.
- Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this BAA.
- Business Associate agrees to report promptly, no later than five (5) days after discovery, to Covered Entity any use or disclosure of the Protected Health Information not provided for by this BAA of which it becomes aware. For uses or disclosures that represent breaches of unsecured Protected Health Information, Business Associate shall report the information required by 45 C.F.R. 164.410 without unreasonable delay, and in no case later than thirty (30) days after discovery.
- Business Associate agrees to ensure that any subcontractor that creates, receives, maintains, or transmits Protected Health Information agrees to the same restrictions, conditions, and requirement that apply through this BAA to Business Associate with respect to such information. Business Associate shall perform appropriate due diligence on each subcontractor prior to permitting a Subcontractor to receive, create, maintain, or transmit Protected Health Information.
- Business Associate agrees to provide access, within ten (10) days of receiving a written request from Covered Entity, to Protected Health Information in a Designated Record Set to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524, and any subsequent legislation or guidance regarding an Individual's right to access his or her Protected Health Information, including, but not limited to, the requirements of Section 13405 of HITECH Act and the regulations thereunder. In the event any Individual requests access to Protected Health Information directly from Business Associate, Business Associate shall forward such request to Covered Entity within two (2) days.
- Business Associate agrees to make any amendment(s) to Protected Health Information in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526 and any subsequent legislation or guidance regarding an Individual's right to request amendment of his or her Protected Health Information within thirty (30) days of receiving a written request from Covered Entity. In the event any Individual requests amendment of Protected Health Information directly from Business Associate, Business Associate shall forward such request to Covered Entity within five (5) days.
- Business Associate agrees to comply with the applicable requirements of the Security Rule and to ensure that any subcontractor that creates, receives, maintains, or transmits Protected Health Information agrees to comply with the applicable requirements the Security Rule.
- Business Associate agrees to make its internal practices, books, and records, including policies and procedures, relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of, Covered Entity available to the Covered Entity within ten (10) days of receiving a written request from Covered Entity, or to the Secretary, in a time and manner designated by the Secretary, for purposes of the Secretary's determining Covered Entity's compliance with the Privacy Rule and Security Rule. Nothing in this section shall be construed as a waiver of any legal privilege or of any protections for trade secrets or confidential commercial information. Business Associate shall immediately notify Covered Entity of such request from the Secretary pertaining to an investigation of Covered Entity's compliance with HIPAA.
- Business Associate agrees to document uses and disclosures of Protected Health Information and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information and/or an access report in accordance with 45 C.F.R. § 164.528 and any subsequent legislation or guidance regarding an Individual's right to an accounting of the disclosures of his or her Protected Health Information or access report, including but not limited to, the requirements of Section 13405 of HITECH Act and the regulations thereunder. Nothing in this section shall require documenting PHI as necessary to create an access report unless 45 C.F.R. § 164.528 is amended to require such a report.
- To the extent Business Associate is to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 C.F.R Part 164, including but not limited to provision of Covered Entity's notice of privacy practices, Business Associate agrees to comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s).
Permitted Uses and Disclosures by Business Associate.
- Except as otherwise limited in this BAA, Business Associate may use or disclose Protected Health Information to perform functions, activities, or services for, or on behalf of, Covered Entity as specified in the Agreement, provided that such use or disclosure would not violate the Privacy Rule if done by Covered Entity.
- Except as otherwise limited in this BAA, Business Associate may disclose Protected Health Information for the proper management and administration or to carry out the legal responsibilities of the Business Associate, provided that disclosures are Required By Law, or (i) Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached; and (ii) Business Associate obtains Covered Entity's prior written approval for such disclosures involving 500 or more Individuals.
- Except as otherwise limited in this BAA, Business Associate may use Protected Health Information to provide Data Aggregation services to Covered Entity as permitted by 45 C.F.R. § 164.504(e)(2) (i)(B).
- Business Associate may use Protected Health Information to report violations of law to appropriate Federal and State authorities, consistent with 45 C.F.R. § 164.502(j)(1).
- Business Associate may not use Protected Health Information to create de-identified health information under 45 C.F.R. § 164.514(b) of the Privacy Rule unless necessary to perform functions, activities, or services for, or on behalf of, Covered Entity as specified in the Agreement.
Term and Termination.
Term. The term of this BAA shall be effective upon execution, and shall terminate when the Agreement is terminated.
Termination for Cause. Upon either Party’s knowledge of a material breach by the other Party of its obligations under this Agreement, the non-breaching Party shall, within twenty (20) days of that determination, notify the breaching Party, and the breaching Party shall have thirty (30) days from receipt of that notice to cure the breach or end the violation. If the breaching Party fails to take reasonable steps to effect such a cure within such time period, the non-breaching Party may terminate this Agreement and the Underlying Agreements without penalty. Where either Party has knowledge of a material breach by the other Party and determines that cure is infeasible, prior notice of the breach is not required, and the non-breaching Party shall terminate the portion of the Underlying Agreements affected by the breach without penalty. Where neither cure nor termination is feasible, the non-breaching Party shall report the violation to the Secretary.
Effect of Termination. Upon termination of this Agreement, the parties hereby acknowledge that the return or destruction of PHI received by the Business Associate from Covered Entity is likely not feasible, and that, therefore Business Associate may retain a copy of such Protected Health Information provided that: (i) the provisions of this BAA shall continue to apply to any such information retained following cancellation, termination, expiration, or other conclusion of the Agreement; and (ii) Business Associate shall limit uses and disclosures of such PHI to those purposes that make the return or destruction thereof not feasible, for as long as Business Associate maintains such PHI.
- Regulatory References. A reference in this BAA to a section of the law means the section as in effect or as amended.
- Amendment. The Parties agree to take such action as is necessary to amend this BAA from time to time as is necessary for either Party or both Parties to comply with the equirements of the HIPAA Standards.
- Survival. The respective rights and obligations of the parties which by their nature are intended to survive the expiration or termination of this BAA shall survive.
- Interpretation. Any ambiguity in this BAA shall be resolved to permit Covered Entity to comply with the HIPAA Standards.
- Construction of Terms. The terms of this BAA shall be construed in light of any applicable interpretation or guidance that may be issued from time to time on the HIPAA Standards by the Department of Health and Human Services or its Office of Civil Rights.
- No Third Party Beneficiaries. Nothing in this Agreement shall confer upon any person other than the parties and their respective successors or assigns, any rights, remedies, obligations, or liabilities whatsoever.
- Contradictory Terms. Any provision of the Agreement that is directly contradictory to one or more terms of this BAA shall be superseded by the terms of this BAA as of the Effective Date of this BAA to the extent and only to the extent of the contradiction, only for the purpose of the Covered Entity's compliance with the HIPAA Standards, and only to the extent that it is reasonably impossible to comply with both the conflicting term and the terms of this BAA.
- HITECH Act Applicability. To the extent not referenced or incorporated herein, requirements applicable to Business Associate and Covered Entity under the HITECH Act are hereby incorporated by reference into this BAA. Business Associate and Covered Entity agree to comply with applicable requirements imposed under the HITECH Act, as of the effective date of each such requirement.
- Ownership of Information. The Parties agree that the Protected Health Information and Personal Information is, and shall remain, the property of Covered Entity or its clients or customers.
- Indemnification. Each party shall indemnify and hold the other harmless from and against all claims, liabilities, judgments, fines, assessments, penalties, awards, or other expenses, of any kind or nature whatsoever, including, without limitation, attorneys’ fees, expert witness fees, and costs of investigation, litigation or dispute resolution, relating to or arising out of any breach of this BAA, or any breach, by that Party or its subcontractors or agents.
- Insurance. Business Associate shall maintain appropriate and adequate insurance coverage to cover Business Associate's obligations pursuant to this BAA, in amounts not less than may be required by the Agreement.