Business Associate Agreement

This business associate’s agreement (the “BAA”) is made on and effective on the date of signing (the “Effective Date”) by and the client agreeing to the terms below (“Client”). Contractor and Client may each be referred to as a “Party,” or collectively, as the “Parties.”

1. Definitions.

1.01 “Business Associate” has the same meaning given in 45 C.F.R. §160.103.

1.02 “C.F.R.” will mean the Code of Federal Regulations. All references to the CFR are to their then current version.

1.03 “Designated Record Set” has the same meaning in 45 C.F.R. §164.501.

1.04 “Covered Entity” has the same meaning in 45 C.F.R. §160.103.

1.05 “Privacy Laws” means HIPAA, the HIPAA regulations, and any other applicable state or federal laws or regulations affecting or regulating the privacy or security of health information.

1.06 Protected Health Information ("PHI") will have the meaning given to such term in 45 C.F.R. §164.501, and specifically includes PHI in digital as well as physical formats.

1.07 “Underlying Agreement” means that certain business services agreement entered into between the Parties related to the use of Contractor’s proprietary SaaS app.

All other capitalized terms not specifically defined in this BAA will have the same meaning as they do in the Underlying Agreement.

2. Contractor Obligations. 

2.01 Permitted Uses and Disclosures. Contractor may not use or disclose PHI received or created pursuant to this BAA, except for the following permitted uses and disclosures:

1. Contractor's Operations. Contractor may use the PHI it obtains or maintains in its capacity as a Business Associate for the proper management and administration of Contractor or to carry out Contractor's legal responsibilities.
2. Contractor's Operations. Contractor may disclose the PHI it obtains, creates or maintains in its capacity as a Business Associate if such disclosure is necessary for Contractor's proper management and administration or to carry out Contractor's legal responsibilities, and:
   1. The disclosure is required by law; or
   2. Contractor obtains reasonable assurances from the recipient of the PHI that: (1) the PHI will be held confidentially and used or further disclosed only as required by law or with such further authorizations required by law, and any such disclosure will be only for the purpose for which it was initially disclosed to the recipient; (2) the recipient notifies Contractor (and Contractor in turn notifies Client) of any instances of which it is aware in which the confidentiality of the PHI has been breached; and (3) except for treatment disclosures, Contractor and its agents agree to use, disclose, or request only the limited data set (as defined in 45 C.F.R. §164.514(e)(2)), or if that is inadequate, the minimum PHI necessary to accomplish the intended purpose of that use, disclosure or request, and further agree that disclosing party determines what constitutes the minimum necessary to accomplish the intended purpose of the disclosure.

2.02 Additional Obligations imposed by the HITECH Act. Contractor agrees to abide by all the following to the extent they are implicated by the Underlying Agreement:

1. Contractor agrees to comply with all privacy laws governing marketing communications, that is, communications about a product or service that encourages the recipient to purchase or use the product or service.
2. Contractor understands and agrees that it will be subject to the same penalties as a covered entity for any violation of the HIPAA Security requirements and for violations of the Privacy Rule for impermissible uses and disclosures, for a failure to provide breach notification to the covered entity, for a failure to provide access to a copy of electronic PHI to either the covered entity, the individual, or the individual’s designee (whichever is specified in the business associate agreement), for a failure to disclose PHI where required by the Secretary to investigate or determine the business associate’s compliance with the HIPAA Rules, and for a failure to provide an accounting of disclosures, and it will also be subject to periodic audits by the HHS secretary. Contractor further understands and agrees that its subcontractors will be held to the same standards.
3. Contractor agrees to comply with all privacy laws governing the sale of PHI.

5. Minimum Necessary. Except for treatment disclosures, Contractor and its agents agree to use, disclose, or request only the limited data set (as defined in 45 C.F.R. §164.514(e)(2)), or if that is inadequate, the minimum PHI necessary to accomplish the intended purpose of that use. Contractor understands that the HHS Secretary is mandated to issue guidance on what constitutes “minimum necessary,” and agrees that Contractor and its agents will be bound by that guidance when it is issued and becomes effective.
6. Access to PHI by Individuals. The Parties will work together to fulfill all requests by individuals for access to the individual's PHI that are approved by Client. The Parties will in all respects necessary to comply with 45 C.F.R. §164.524 and Colorado law, including but not limited to providing Client with copies of requested PHI at least 5 business days prior to the date Client must provide the copies to the requestor. Contractor further agrees that to the extent Contractor maintains PHI of Client in an electronic health record (EHR) or other electronic Designated Record Set, Client must comply with patients' requests for access to their PHI by giving them, or any entity that they designate clearly, conspicuously and specifically, the information in an electronic format, and must not charge the requestor more than the labor and supply costs in responding to the request for the copy (or summary or explanation). If Contractor receives a request from an individual for access to PHI, Contractor immediately will forward such request to Client. Client will be solely responsible for determining the scope of PHI and Designated Record Set with respect to each request by an individual for access to PHI. If Contractor maintains PHI in a Designated Record Set on behalf of Client, Contractor will permit any individual, upon authorization by Client, to access and obtain copies of the individual's PHI in accordance with 45 C.F.R. §164.524 and Colorado law. Contractor will make the PHI available in the format requested by the individual and approved by Client, unless the PHI is not readily producible in such format, in which case the PHI will be produced in hard copy format. Contractor may not charge the individual any fees for such access to PHI but will provide written documentation to Client of the labor and supply costs Contractor incurred producing the copies in the requested format. Client will reimburse Contractor for Contractors documented labor and supply costs, to the extent they are reasonable, allowed by law, and Client recovers these costs from the requestor.
7. Access to Contractor's Books and Records. Contractor will make its internal practices, books, and records relating to the use and disclosure of PHI received from or created or received by Contractor on behalf of Client available to the Secretary of the Department of Health and Human Services for purposes of determining Client's compliance with HIPAA. Upon reasonable notice to Contractor and during Contractor's normal business hours, Contractor will make such internal practices, books and records available to Client to inspect for purposes of determining compliance with this BAA.
8. Amendment of PHI. If Contractor receives a request from an individual for amendment of PHI, Contractor immediately will forward such request to Client. Client will be solely responsible for determining the response to each request by an individual for amendment of PHI. As directed and in accordance with the time frames specified by Client, Contractor will incorporate all amendments or addenda to PHI received from Client. Within five (5) business days following Contractor's amendment of PHI as directed by Client, Contractor will provide written notice to Client confirming that Contractor has made the amendments or addenda to PHI as directed by Client and containing any other information as may be necessary for Client to provide adequate notice to the individual in accordance with 45 C.F.R. §164.526 and Colorado law.
9. Disclosure Accounting. In the event Contractor makes any disclosures of PHI that are subject to the accounting requirements of 45 C.F.R. §164.528, Contractor promptly will report such disclosures to Client. The notice by Contractor to Client of the disclosure will include the name of the individual, the recipient, and the reason for disclosure, and the date of the disclosure. Contractor will maintain a record of each such disclosure, including the date of the disclosure, the name and, if available, the address of the recipient of the PHI, a brief description of the PHI disclosed and a brief description of the purpose of the disclosure. Contractor will maintain this record for a period of six (6) years and make available to Client upon request in an electronic format so that Client may meet its disclosure accounting obligations under 45 C.F.R. §164.528. If Contractor receives a request from an individual for an accounting of disclosures, Contractor immediately will forward such request to Client. Client will be solely responsible for responding to each request by an individual for an accounting of disclosures. Contractor understands that the HHS Secretary is mandated to adopt rules expanding the disclosure accounting obligations applicable to Companies that maintain EHR and agrees that Contractor will be bound by those rules when they are issued and become effective.
10. Security Safeguards. Contractor will implement a documented information security program that includes administrative, technical and physical safeguards designed to prevent the accidental or otherwise unauthorized use or disclosure of PHI, and the integrity and availability of PHI it creates, receives, maintains or transmits on behalf of Client. The security program will include all the reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, and other requirements of the HIPAA Security Rule. To the extent applicable, Contractor agrees to encrypt all electronic PHI and destroy all paper PHI such that it is unusable, unreadable or indecipherable to unauthorized users.
11. Reporting and Mitigating Unauthorized Uses and Disclosures of PHI. Immediately upon discovery by Contractor, and no later than 5 calendar days, Contractor will report to Client any uses or disclosures of PHI not authorized by this BAA and, with respect to ePHI, any security incident, including any attempted or successful unauthorized access, use, disclosure, modification, or destruction of electronic PHI or interference with information system operations. Contractor further agrees that, following the discovery of a breach of unsecured PHI, Contractor will notify Client of such a breach without unreasonable delay and in no case later than 5 calendar days after discovery of a breach. Contractor understands and agrees that a breach of unsecured PHI will be treated as "discovered" as of the first day on which Contractor knew of the breach, or by exercising reasonable diligence, would have known of the breach. Contractor further agrees that at the request of Client, Contractor will provide notice of the breach of unsecured PHI to individuals, the HHS Office for Civil Rights (OCR), and the media, on behalf of the covered entity as required by the Breach Notification Rule, but that Contractor will not otherwise provide such notice. Contractor will use its best efforts to mitigate the deleterious effects of any use or disclosure of PHI not authorized by this BAA.
12. Affiliates, Agents, Subsidiaries and Subcontractors. Contractor will require any agents, affiliates, subsidiaries, and subcontractors to whom it provides PHI received from Client, or PHI which was created, maintained, or received by Contractor on behalf of Client, agree in writing to the same use, disclosure, and security obligations and restrictions imposed on Contractor by this BAA.
13. Ownership of Information. All PHI will be deemed owned by Client unless otherwise agreed in writing. During the term of this BAA, Contractor and any authorized subcontractors will have the right to use and disclose the PHI solely for the purposes of this BAA. Contractor and its agents will not have the right to aggregate or de-identify the PHI unless separately agreed in writing.  

3. Client Obligations.

3.01         Client will inform Contractor of any of the following changes which affect Contractor: changes to its privacy practices that affect Contractor, new or changed authorizations, restrictions on use of PHI agreed to by Client; or patient opt-outs concerning fundraising or marketing solicitations.

4. Term and Termination.

4.01         Term. This BAA will be for a term defined in the Underlying Agreement.

4.02         Termination for Breach of Privacy or Security. Client, at its sole option and without an opportunity to cure, immediately may terminate this BAA without further liability if Client determines that Contractor has violated a material term of this BAA related to the privacy or security of the PHI.

4.03         Termination without Cause. Either Party may terminate the BAA upon provision of sixty (60) days prior written notice.

4.04         Termination for Cause. Either Party may terminate this BAA for a material breach after thirty (30) days written notice of the breach and an opportunity to cure during the 30-day period. Either Party may terminate this BAA immediately upon written notice if the other has a receiver or trustee appointed for any or all of its property, becomes insolvent or otherwise is unable to pay its debts as they mature, makes an assignment for benefit of creditors, becomes subject to bankruptcy proceedings or is dissolved or liquidated.

4.05         Effects of Termination; Disposal of PHI. Upon termination of this BAA, Contractor will recover all PHI related to this BAA that is in the possession of Contractor's agents, affiliates, subsidiaries or subcontractors. Contractor will, as directed by Client, either return to Client, transfer or destroy all PHI that Contractor created, obtained or maintained pursuant to this BAA on behalf of Client. Contractor further agrees to return or destroy the retained PHI as soon as it is feasible. If the Parties agree at the time of termination of this BAA that it is similarly infeasible for Contractor to recover all related PHI in the possession of Contractor's agents, affiliates, subsidiaries or subcontractors, Contractor will provide written notice to Client regarding the nature of the unfeasibility and Contractor will require that its agents, affiliates, subsidiaries, and subcontractors agree to the extension of all protections, limitations and restrictions required of Contractor hereunder. Contractor’s obligations under this section will survive the termination of this BAA.

4.06 Mitigating Effects of Termination. In the event of termination of this Agreement, the Parties agree to work together to effectuate a smooth transition for both Parties and continuous protection of the PHI disclosed to or maintained by Contractor.

5. Indemnification.

5.01         Indemnification. Each Party will indemnify and hold harmless the other Party to this BAA from and against all claims, losses, liabilities, costs and other expenses incurred as a result of, or arising directly or indirectly out of or in conjunction with: (a) any misrepresentation, breach of warranty or non-fulfillment of any undertaking on the part of the Party; and (b) any claims, demands, awards, judgments, actions and proceedings made by any person or organization arising out of or in any way connected with the Party's performance under this BAA.

5.02         Breach Investigation and Notification. Contractor further agrees to indemnify and hold harmless Client from and against any and all claims, losses, liabilities, costs, and other expenses arising out of a breach of unsecured PHI maintained, stored, accessed, transmitted or used by Contractor or any of Contractor’s subcontractors. At the request of Client, Contractor further agrees to carry out the notification to affected individuals and to the media as required by state and federal law, and to bear the burden of demonstrating that all notifications were made as required by law.

6. Miscellaneous. 

6.01         Contractor's Compliance with HIPAA. Contractor is solely responsible for all decisions made by Contractor regarding the safeguarding of PHI.

6.02         Notices. Any notice required to be given pursuant to the terms and provisions of this BAA will be in writing and may be either personally delivered or sent by registered or certified mail in the United States Postal Service, Return Receipt Requested, postage prepaid, addressed to each Party at the addresses herein or to such other addresses as the Parties may hereinafter designate in writing.

6.03         Amendments. By mutual consent of the Parties, this BAA may from time-to-time be modified or amended in writing and such written modifications signed by the Parties will be attached to and become part of this BAA. Any amendments to the Underlying Agreement which change Contractor’s obligations as they relate to the creation, use, maintenance, receipt or disclosure of PHI will be deemed incorporated in this BAA, and the permitted uses and disclosures permitted by this BAA will expand and contract as required to allow Contractor to use or disclose PHI to the extent necessary to perform Contractor’s obligations pursuant to the Underlying Agreement.

6.04         Severability and Survival. In the event any provision of this BAA is held to be unenforceable for any reason, the unenforceability thereof will not affect the remainder of this BAA, which will remain in full force and effect and enforceable in accordance with its terms. The obligations of the Parties to the PHI will survive termination of this BAA.

6.05         Governing Law. This BAA will be construed broadly to implement and comply with the requirements relating to the Privacy Laws. All other aspects of this BAA will be governed under the laws of the State of Colorado. Venue for any actions relating to this BAA will be proper in Denver County, CO.

6.06         Assignment/Subcontracting. This BAA will inure to the benefit of and be binding upon the Parties and their respective legal representatives, successors, and permitted assigns. Neither Party may assign or subcontract the rights or obligations under this BAA without the express written consent of the other Party. To the extent Contractor enters into any BAA with a subcontractor, Contractor agrees to ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of the business associate agree to the same restrictions, conditions, and requirements that apply to the business associate with respect to such information, in accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2) as applicable.

6.09         Entire BAA. This BAA contains the entire BAA between Parties and supersedes all prior discussions, negotiations, and services for like services. This BAA will be interpreted in a manner consistent with the Underlying Agreement. In the event of conflict, this BAA will prevail.

6.10         No Third-Party Beneficiaries. Nothing express or implied in this BAA is intended to confer, nor will anything herein confer, upon any person other than Covered Entity, Business Associate and their respective successors or assigns, any rights, remedies, obligations or liabilities whatsoever.

6.11         Intent to Comply with Laws. This BAA will be construed consistently with all Privacy Laws and in favor of the protection of PHI.