Business Associate Agreement

Effective November 1, 2018

1. Status of the Parties

The parties hereby acknowledge and agree that a Service Professional (when applicable) is subject to HIPAA compliance as a covered entity or as a business associate “Covered Entity,” and that Loconomics “Business Associate” may be a Business Associate of Covered Entity under the HIPAA Security and Privacy Rule and the HITECH Act, each defined below.

WHEREAS, Sections 261 through 264 of the federal Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 “HIPAA”, known as “the Administrative Simplification provisions,” direct the U.S. Department of Health and Human Services to develop standards to protect the security, confidentiality, and integrity of health information; and

WHEREAS, pursuant to the Administrative Simplification provisions, the Secretary of Health and Human Services issued regulations modifying 45 CFR Parts 160 and 164 (the “HIPAA Security and Privacy Rule”; and

WHEREAS, the American Recovery and Reinvestment Act of 2009 (Pub. L. 111-5) “ARRA”, pursuant to Title XIII of Division A and Title IV of Division B, called the “Health Information Technology for Economic and Clinical Health” “HITECH” Act, provides modifications to the HIPAA Security and Privacy Rule (hereinafter, all references to the “HIPAA Security and Privacy Rule” are deemed to include all amendments to such rule contained in the HITECH Act, the HIPAA Final Omnibus Rule of 2013, and any accompanying regulations, and any other subsequently adopted amendments or regulations); and

WHEREAS, the Parties wish to enter into or have entered into an arrangement whereby Business Associate will provide certain services to Covered Entity, and, pursuant to such arrangement, Business Associate may be considered a “business associate” of Covered Entity as defined in the HIPAA Security and Privacy Rule (hereby referred to as the “Arrangement Agreement”; and

WHEREAS, Business Associate may have access to Protected Health Information “PHI”, as defined below, in fulfilling its responsibilities under such arrangement;

THEREFORE, in consideration of the Parties’ continuing obligations under the Arrangement Agreement, compliance with the HIPAA Security and Privacy Rule, and for other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, and intending to be legally bound, the Parties agree to the provisions of this Business Associate Agreement (the “Agreement” in order to address the requirements of the HIPAA Security and Privacy Rule and to protect the interests of both Parties.

2. Definitions

Except as otherwise defined herein, any and all capitalized terms in this Agreement shall have the definitions set forth in the HIPAA Security and Privacy Rule. In the event of an inconsistency between the provisions of this Agreement and mandatory provisions of the HIPAA Security and Privacy Rule, as amended, the HIPAA Security and Privacy Rule shall control. Where provisions of this Agreement are different than those mandated in the HIPAA Security and Privacy Rule, but are nonetheless permitted by the HIPAA Security and Privacy Rule, the provisions of this Agreement shall control.

The term “Protected Health Information” or “PHI” shall have the definition set forth in the HIPAA Security and Privacy Rule, limited to PHI that is created, received, maintained, or transmitted on behalf of Covered Entity by Business Associate pursuant to the Agreement. “Protected Health Information” includes without limitation “Electronic Protected Health Information” or “EPHI,” as defined in the HIPAA Security and Privacy Rule, limited to EPHI that is created, received, maintained, or transmitted on behalf of Covered Entity by Business Associate pursuant to the Agreement.

3. Confidentiality and Security Requirements

Business Associate agrees to the following obligations:

  • a) Use or Disclosure of PHI. Business Associate agrees to use or disclose any Protected Health Information solely:
    • for meeting its obligations as set forth in any agreements between the Parties evidencing their business relationship, for services as described in such agreement(s), or
    • as required by applicable law, rule or regulation, or by any accrediting or credentialing organization to whom Covered Entity is required to disclose such information or as otherwise permitted or required under this Agreement, the Arrangement Agreement (if consistent with this Agreement and the HIPAA Security and Privacy Rule), or the HIPAA Security and Privacy Rule, and
    • as would be permitted by the HIPAA Security and Privacy Rule if such use or disclosure were made by Covered Entity. All such uses and disclosures shall be subject to the limits set forth in 45 CFR § 164.514 regarding limited data sets and 45 CFR § 164.502(b) regarding the minimum necessary requirements. Business Associate agrees, to the extent that Business Associate is to carry out one or more of Covered Entity’s obligation(s) under Subpart E of 45 C.F.R. Part 164, to comply with the requirements of Subpart E of 45 C.F.R. Part 164 that apply to Covered Entity in the performance of such obligation(s).
  • b) Disposition of PHI. Upon termination of this Agreement, if feasible, Business Associate will return or destroy all Protected Health Information received from or created or received by Business Associate on behalf of Covered Entity that Business Associate still maintains in any form and retain no copies of such information. It may not be feasible for Business Associate to return or destroy all copies of Protected Health Information. In such cases, where Business Associate determines, in its sole discretion, that such return or destruction is not feasible, the Parties will extend the protections of this Agreement to the information and Business Associate will limit further uses and disclosures solely to those purposes as originally intended under this Agreement.
  • c) Security of PHI. Business Associate agrees to ensure that its agents, including a subcontractor, that create, receive, maintain, or transmit Protected Health Information on behalf of Business Associate agree to the same restrictions and conditions that apply to Business Associate with respect to such information and agree to implement reasonable and appropriate safeguards to protect the confidentiality, integrity, and availability of any of such information which is Electronic Protected Health Information.
  • d) Notification of Breach of PHI. Business Associate shall, following the discovery of a breach of unsecured PHI, as defined in the HIPAA Security and Privacy Rule, notify the Covered Entity of such breach pursuant to the terms of 45 CFR § 164.410 and reasonably cooperate in the Covered Entity’s breach analysis procedures, including risk assessment, if requested. A breach shall be treated as discovered by Business Associate as of the first day on which such breach is known to Business Associate or, by exercising reasonable diligence, would have been known to Business Associate. Business Associate will provide such notification to Covered Entity without unreasonable delay and in no event later than twenty (20) calendar days after discovery of the breach. Such notification will contain the elements required in 45 CFR § 164.410.
  • e) Permitted Use of PHI. Notwithstanding the prohibitions set forth in this Agreement, Business Associate may use and disclose Protected Health Information:
    • if necessary, for the proper management and administration of Business Associate services or to carry out the legal responsibilities of Business Associate, provided that as to any such disclosure,
    • the disclosure is required by law; or
    • Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached; or for data aggregation services, if to be provided by Business Associate for the health care operations of Covered Entity pursuant to any agreements between the Parties evidencing their business relationship, or as mutually agreed in writing by both Parties. For purposes of this Agreement, data aggregation services means the combining of Protected Health Information by Business Associate with the protected health information received by Business Associate in its capacity as a business associate of another covered entity, to permit data analyses that relate to the health care operations of the respective covered entities.
  • f) Safeguarding PHI. Business Associate will implement appropriate safeguards to prevent use or disclosure of Protected Health Information other than as permitted in this Agreement or required or permitted by applicable law. Business Associate will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of any Electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of Covered Entity as required by the HIPAA Security and Privacy Rule and will comply, where applicable, with Subpart C of 45 C.F.R. Part 164 with respect to such Electronic Protected Health Information to prevent use or disclosure of such electronic PHI other than as provided for by this Agreement.
  • g) Audit of Business Associate’s Records. The Secretary of Health and Human Services shall have the right to audit Business Associate’s records and practices related to use and disclosure of Protected Health Information to ensure Covered Entity’s compliance with the terms of the HIPAA Security and Privacy Rule.
  • h) Unauthorized Use of PHI. Business Associate shall report to Covered Entity any use or disclosure of Protected Health Information which is not in compliance with the terms of this Agreement of which it becomes aware. Business Associate shall report to Covered Entity any Security Incident of which it becomes aware.

4. Availability of PHI

Restrictions on Disclosures of PHI.

Business Associate agrees to comply with any requests for restrictions on certain disclosures of Protected Health Information maintained in a Designated Record Set pursuant to Section 164.522 of the HIPAA Security and Privacy Rule to which Covered Entity has agreed and of which Business Associate is notified by Covered Entity, if any.

Access.

Business Associate agrees to comply with any requests for preferences of access of Protected Health Information maintained in a Designated Record Set pursuant to Section 164.522 of the HIPAA Security and Privacy Rule to which Covered Entity has agreed and of which Business Associate is notified by Covered Entity, if any. Business Associate agrees to make available Protected Health Information to the extent and in the manner required by Section 164.524 of the HIPAA Security and Privacy Rule. Business Associate agrees to make Protected Health Information maintained in a Designated Record Set available for amendment and incorporate any amendments to Protected Health Information maintained in a Designated Record Set in accordance with the requirements of Section 164.526 of the HIPAA Security and Privacy Rule.

Accounting.

In addition, Business Associate agrees to make Protected Health Information available for purposes of accounting of disclosures, as required by Section 164.528 of the HIPAA Security and Privacy Rule and Section 13405(c)(3) of the HITECH Act. Business Associate and Covered Entity shall cooperate in providing any accounting required on a timely basis.

5. Obligations of Covered Entity

Changes in Authorization.

Covered Entity shall inform Business Associate, in writing and in a timely manner, of any changes in, or withdrawal of, any authorization provided to Covered Entity by any Individual pursuant to 45 CFR § 164.508, to the extent that such changes or withdrawal may affect Business Associate’s use or disclosure of PHI. In addition, Covered Entity shall notify Business Associate, in writing and in a timely manner, of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR § 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI. Covered Entity shall promptly notify Business Associate of any breach by Covered Entity of any obligation under the HIPAA Security and Privacy Rule as such breach relates to PHI as defined herein. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Security and Privacy Rule if done by Covered Entity, and Business Associate is not required to use or disclose PHI in any manner that would not be permissible under the HIPAA Security and Privacy Rule if done by Covered Entity.

Minimum Necessary.

Covered Entity shall disclose to Business Associate only the “Minimum Necessary” amount of PHI for Business Associate to perform the services in Arrangement Agreement and its rights and obligations under this Agreement, and only in compliance with the HIPAA Security and Privacy Rule.

6. Term and Termination

Term.

This Agreement shall commence when the Covered Entity begins using the Loconomics Service and shall continue until (a) either party terminates this Agreement in writing; or (b) all PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity.

Termination for Cause.

Notwithstanding anything in this Agreement to the contrary, either Party shall have the right to terminate this Agreement upon thirty (30) days written notice and opportunity to cure to the other Party if the Party reasonably determines that the other Party has violated any material term of this Agreement. If the other party fails to timely cure the violation, the non-violating party may terminate this Agreement.

7. Miscellaneous

No Third Parties.

Except as expressly stated herein or within the HIPAA Security and Privacy Rule, the Parties to this Agreement do not intend to create any rights in any third parties.

Entire Agreement, Amendments, Assignment, Relationship, Waiver, Governing Law.

This Agreement is the entire agreement between the parties in connection with the subject matter herein and this Agreement may be amended or modified only in a writing signed by the Parties. Either party may assign, sublicense, delegate or transfer all or any portion of its rights or responsibilities under this Agreement by operation of law or otherwise to any subsidiaries or affiliates thereof, or to any other party, in connection with a sale of the business related to this Agreement or to the Arrangement Agreement. Any assignment of this Agreement by Business Associate in connection with a sale of this business shall relieve Business Associate from any further liability hereunder. None of the provisions of this Agreement are intended to create, nor will they be deemed to create any relationship between the Parties other than that of independent parties contracting with each other solely for the purposes of effecting the provisions of this Agreement and any other agreements between the Parties evidencing their business relationship. This Agreement will be governed by California law, without regard to its choice of law provisions. No change, waiver or discharge of any liability or obligation hereunder on any one or more occasions shall be deemed a waiver of performance of any continuing or other obligation, or shall prohibit enforcement of any obligation, on any other occasion. In the event that any provision of this Agreement is held by a court of competent jurisdiction to be invalid or unenforceable, the remainder of the provisions of this Agreement will remain in full force and effect. In addition, in the event a Party believes in good faith that any provision of this Agreement fails to comply with the then-current requirements of the HIPAA Security and Privacy Rule, including any then-current requirements of the HITECH Act or its regulations, such Party shall notify the other Party in writing. For a period of up to thirty (30) days, the Parties shall address in good faith such concern and amend the terms of this Agreement, if necessary to bring it into compliance. If, after such thirty (30)-day period, the Agreement fails to comply with the HIPAA Security and Privacy Rule, including the HITECH Act, then either Party has the right to terminate upon written notice to the other Party.

Minimum Requirements.

The Parties agree that, in the event that any documentation of the Arrangement Agreement pursuant to which Business Associate provides services to Covered Entity contains provisions relating to the use or disclosure of Protected Health Information that are more restrictive than the provisions of this Agreement, the provisions of the more restrictive documentation will control. The provisions of this Agreement are intended to establish the minimum requirements regarding the Parties’ use and disclosure of Protected Health Information.