Legal

Business Associate
Agreement

HIPAA / HITECH compliant Business Associate Agreement template.

This Business Associate Agreement (this "Agreement") is entered into as of _______________________ (the "Effective Date"), by and between:

[RECIPIENT COMPANY NAME], a [STATE/COUNTRY] [corporation/LLC], with its principal place of business at [ADDRESS] ("Covered Entity" or "CE"); and

Claimalytics, LLC, a Florida LLC, with its principal place of business at 708 W Keysville Rd Plant City, FL 33567 ("Business Associate" or "BA").

Covered Entity and Business Associate are each referred to individually as a "Party" and collectively as the "Parties."

Recitals

WHEREAS, Business Associate provides software technology and data analytics services to Covered Entity, which may involve the creation, receipt, maintenance, transmission, or use of Protected Health Information ("PHI") on behalf of Covered Entity;

WHEREAS, the Parties wish to comply with the requirements of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), as amended by the Health Information Technology for Economic and Clinical Health Act ("HITECH"), and the regulations promulgated thereunder, including 45 C.F.R. Parts 160 and 164 (collectively, the "HIPAA Rules");

NOW, THEREFORE, in consideration of the mutual covenants and agreements contained herein and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties agree as follows:

1. Definitions

Capitalized terms used but not otherwise defined in this Agreement shall have the meanings ascribed to them under the HIPAA Rules. For purposes of this Agreement:

  • "Business Associate" shall have the meaning given such term in 45 C.F.R. § 160.103, and shall refer to Claimalytics, LLC.
  • "Covered Entity" shall have the meaning given such term in 45 C.F.R. § 160.103, and shall refer to [Recipient Company Name].
  • "Protected Health Information" or "PHI" shall have the meaning given such term in 45 C.F.R. § 160.103, limited to PHI created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity.
  • "Electronic Protected Health Information" or "ePHI" means PHI that is maintained in or transmitted by electronic media as defined in 45 C.F.R. § 160.103.
  • "Security Incident" shall have the meaning given such term in 45 C.F.R. § 164.304.
  • "Breach" shall have the meaning given such term in 45 C.F.R. § 164.402.
  • "Services" means software technology services and data analytics services provided by Business Associate to Covered Entity pursuant to any underlying services or vendor agreement between the Parties.

2. Obligations and Activities of Business Associate

Business Associate agrees to:

(a) Use Limitations

Not use or disclose PHI other than as permitted or required by this Agreement or as required by applicable law.

(b) Safeguards

Use appropriate administrative, physical, and technical safeguards, and comply with the HIPAA Security Rule with respect to ePHI, to prevent use or disclosure of PHI other than as provided for by this Agreement.

(c) Subcontractors

Ensure that any subcontractors or agents that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to the same restrictions, conditions, and requirements that apply to Business Associate under this Agreement, by executing a subcontractor business associate agreement.

(d) Reporting

Report to Covered Entity, without unreasonable delay, any use or disclosure of PHI not provided for by this Agreement. Business Associate shall notify Covered Entity of any Breach of Unsecured PHI within sixty (60) calendar days of discovery of such Breach, in accordance with 45 C.F.R. § 164.410. Business Associate shall also report any Security Incident of which it becomes aware.

(e) Access

Make available PHI in a Designated Record Set to Covered Entity as necessary to satisfy Covered Entity's obligations to provide individuals with access to their PHI under 45 C.F.R. § 164.524.

(f) Amendment

Make PHI available to Covered Entity as necessary for Covered Entity to fulfill its obligations to amend PHI under 45 C.F.R. § 164.526.

(g) Accounting of Disclosures

Make available to Covered Entity information required to provide an accounting of disclosures as required by 45 C.F.R. § 164.528.

(h) HITECH Compliance

To the extent Business Associate carries out Covered Entity's obligations under the Privacy Rule, comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of such obligations.

(i) HHS Access

Make its internal practices, books, and records available to the Secretary of the U.S. Department of Health and Human Services ("HHS") for purposes of determining compliance with the HIPAA Rules.

(j) Minimum Necessary

Use or disclose only the minimum amount of PHI necessary to accomplish the intended purpose of the use, disclosure, or request, in accordance with 45 C.F.R. § 164.502(b).

3. Permitted Uses and Disclosures by Business Associate

Business Associate is permitted to use or disclose PHI as follows:

(a) Services

Use or disclose PHI as necessary to perform the Services specified in the underlying services agreement between the Parties, including software technology services and analytics/data processing services.

(b) Management and Administration

Use PHI for the proper management and administration of Business Associate's business or to carry out Business Associate's legal responsibilities.

(c) Data Aggregation

Use PHI to provide data aggregation services relating to the health care operations of Covered Entity, as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B).

(d) De-identification

De-identify PHI in accordance with 45 C.F.R. § 164.514(b), provided that de-identified data shall no longer be subject to this Agreement.

(e) Required by Law

Disclose PHI as required by law, subject to the requirements of 45 C.F.R. § 164.512.

Business Associate shall not use or disclose PHI in any manner that would violate the HIPAA Rules if done by Covered Entity, except as otherwise permitted by this Agreement.

4. Obligations of Covered Entity

Covered Entity agrees to:

(a) Notice of Privacy Practices

Provide Business Associate with the notice of privacy practices that Covered Entity produces in accordance with 45 C.F.R. § 164.520, as well as any changes to such notice.

(b) Permission Changes

Notify Business Associate of any changes in, or revocation of, permission by individuals to use or disclose PHI, to the extent that such changes may affect Business Associate's permitted or required uses and disclosures.

(c) Restrictions

Notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 C.F.R. § 164.522, to the extent that such restriction may affect Business Associate's permitted or required uses and disclosures.

(d) Lawful Requests

Not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity.

5. Security Rule Compliance (ePHI)

With respect to ePHI, Business Associate agrees to:

  • Implement administrative safeguards as required by 45 C.F.R. § 164.308;
  • Implement physical safeguards as required by 45 C.F.R. § 164.310;
  • Implement technical safeguards as required by 45 C.F.R. § 164.312;
  • Comply with the organizational requirements of 45 C.F.R. § 164.314;
  • Implement policies and procedures under 45 C.F.R. § 164.316;
  • Conduct periodic risk assessments and implement security measures to reduce identified risks;
  • Maintain an incident response plan for Security Incidents involving ePHI.

6. Breach Notification

(a) Discovery

A Breach shall be treated as discovered by Business Associate as of the first day on which such Breach is known to Business Associate or, by exercising reasonable diligence, would have been known to Business Associate.

(b) Notification Timeline

Business Associate shall notify Covered Entity of a Breach of Unsecured PHI without unreasonable delay and in no case later than sixty (60) calendar days after discovery of the Breach.

(c) Notice Contents

To the extent possible, the notification shall include: (i) the identification of each individual whose Unsecured PHI has been or is reasonably believed to have been accessed, acquired, used, or disclosed during the Breach; (ii) a brief description of what happened; (iii) a description of the types of PHI involved; (iv) steps individuals should take to protect themselves; (v) a brief description of what Business Associate is doing to investigate the Breach and mitigate harm; and (vi) contact procedures for individuals to ask questions.

(d) Covered Entity Responsibility

Covered Entity shall be responsible for providing notification to affected individuals and to HHS as required by 45 C.F.R. §§ 164.404 and 164.408 following receipt of notification from Business Associate.

7. Term and Termination

(a) Term

This Agreement shall be effective as of the Effective Date and shall continue until terminated in accordance with this Section 7, or until all PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, whichever is later.

(b) Termination for Cause

Either Party may terminate this Agreement, effective immediately upon written notice, if the other Party has materially breached this Agreement and such breach is not cured within thirty (30) days of written notice thereof. In the event of a material breach by Business Associate that relates to PHI, Covered Entity may also terminate any underlying services agreement.

(c) Effect of Termination

Upon termination of this Agreement for any reason, Business Associate shall, at the direction of Covered Entity, return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, that Business Associate still maintains in any form. Business Associate shall retain no copies of such PHI. If return or destruction is infeasible, Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures to those purposes that make the return or destruction infeasible.

8. Indemnification

Each Party (the "Indemnifying Party") agrees to indemnify, defend, and hold harmless the other Party and its officers, directors, employees, agents, and successors (collectively, the "Indemnified Parties") from and against any and all claims, damages, losses, penalties, costs, and expenses (including reasonable attorneys' fees) arising from or related to:

  • Any breach of this Agreement by the Indemnifying Party;
  • Any violation of the HIPAA Rules by the Indemnifying Party;
  • Any negligent or wrongful act or omission of the Indemnifying Party in connection with its obligations under this Agreement.

This indemnification obligation shall survive termination of this Agreement.

9. Disclaimer of Warranties / Limitation of Liability

EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, NEITHER PARTY MAKES ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, NEITHER PARTY SHALL BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES ARISING OUT OF OR RELATED TO THIS AGREEMENT, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

10. Governing Law and Jurisdiction

This Agreement shall be governed by and construed in accordance with the laws of the State of Florida, without regard to its conflict of laws principles, and subject to applicable federal law, including the HIPAA Rules. The Parties consent to the exclusive jurisdiction of the courts located in Florida for any disputes arising under this Agreement.

11. Relationship to Other Agreements

This Agreement supplements and is incorporated into any existing or future services, vendor, or other agreement between the Parties (the "Underlying Agreement"). In the event of a conflict between this Agreement and the Underlying Agreement with respect to the subject matter of HIPAA compliance or PHI, this Agreement shall control. The Mutual Non-Disclosure Agreement between the Parties shall remain in full force and effect and shall be construed consistently with this Agreement.

12. Amendment

The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for compliance with the requirements of the HIPAA Rules and any other applicable law. No amendment to this Agreement shall be valid unless made in writing and signed by authorized representatives of both Parties.

13. Miscellaneous

(a) Entire Agreement

This Agreement, together with any applicable Underlying Agreement, constitutes the entire agreement of the Parties with respect to its subject matter and supersedes all prior negotiations, understandings, and agreements relating to HIPAA compliance between the Parties.

(b) Severability

If any provision of this Agreement is found to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.

(c) No Waiver

Failure to enforce any provision of this Agreement shall not constitute a waiver of a Party's right to enforce such provision.

(d) Counterparts

This Agreement may be executed in counterparts, each of which shall be deemed an original. Electronic signatures shall have the same force and effect as original signatures.

(e) Notices

All notices required under this Agreement shall be in writing and delivered by hand, overnight courier, certified mail (return receipt requested), or email with confirmation of receipt to the addresses set forth below or as otherwise designated by the Parties in writing.