Business Associate Agreement
This Business Associate Agreement (the "Agreement") by and between {Provider Name} ("Provider"), with the email address {Provider Email Address}, and Willetts Technology, Inc dba PUPS Check In Software ("Business Associate"), with a principal address at 446 N Mechanic Street, Cumberland, MD 21502, is made as of this 30th day of October, 2024.
WHEREAS, Provider develops and operates programs for people with behavioral, emotional, or physical challenges;
WHEREAS, Business Associate maintains certain medical and educational record systems (the "Services") to or on behalf of Provider;
WHEREAS, In the course of obtaining the Services from Business Associate, it is necessary for Provider, from time to time, to provide Protected Health Information, as such term is subsequently defined herein, to Business Associate;
WHEREAS, Provider is a Covered Entity, as such term is defined in the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), as amended by the Health Information Technology for Economic and Clinical Health Act of 2009 (the "HITECH Act"), and their associated regulations, specifically, 45 CFR §§ 160, 162 and 164, Standards for Privacy of Individually Identifiable Health Information, Final Rule (the -Final Privacy Rule") and Health Insurance Reform: Security Standards, Final Rule (the "Final Security Rule");
WHEREAS, because Provider is a Covered Entity, it is required to ensure that Business Associate will appropriately safeguard PHI and use, and, if necessary, disclose PHI only as necessary to provide the Services for Provider, consistent with applicable law and ethical principles, and will appropriately safeguard the PHI; and
WHEREAS, Business Associate is directly subject to the Final Security Rule to the same extent as Provider, may use and disclose PHI only in compliance with the terms of this Agreement, and is subject to the privacy subtitle of the HITECH Act to the same extent as Provider by operation of this Agreement.
NOW, THEREFORE, in consideration of the mutual covenants and agreements contained herein, the worth and sufficiency of which as legal consideration are hereby acknowledged, the parties hereto, intending to be legally bound hereby, agree as follows:
- Definitions
- For the purposes of this Agreement, all capitalized terms not defined herein shall have the meanings defined in the Final Privacy Rule and Final Security Rule, as may be amended from time to time.
- “Breach” shall mean the acquisition, access, use, or disclosure of PHI in a manner not permitted by HIPAA that compromises the security or privacy of the PHI. A Breach shall not include: (1) any unintentional acquisition, access, or use of PHI by a Workforce member or person acting under the authority of Provider or Business Associate, if such acquisition, access, or use was made in good faith and within the scope of authority, and the PHI was not further acquired, accessed, used, or disclosed; (2) any inadvertent disclosure by a person who is authorized to access PHI at Provider or Business Associate to another person authorized to access PHI at the same entity, or at an organized health care arrangement in which Provider participates, and the information received as a result of such disclosure is not further acquired, accessed, used, or disclosed; or (3) a disclosure of PHI where Provider or Business Associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.
- “Electronic Protected Health Information” (“EPHI”) shall mean PHI that is maintained in electronic media or transmitted by electronic media. EPHI is a subset of PHI.
- “Information Blocking Rules” shall mean the applicable provisions of the 21st Century Cures Act, Section 4004, as implemented by 45 C.F.R. parts 171.
- “Information System” shall mean an interconnected set of information resources under the same direct management control that shares common functionality. A system normally includes hardware, software, information, data, applications, communications, and people.
- “Protected Health Information” (“PHI”) shall mean information provided to Business Associate by Provider, or provided to or created by Business Associate on behalf of Provider, including demographic information, which is (1) created or received by Provider; and (2) relates to the past, present, or future physical or mental health or condition of an Individual; the provision of health care to an Individual; or the past, present, or future payment for the provision of health care to an Individual; and (i) that identifies the Individual; or (ii) with respect to which there is a reasonable basis to believe the information can be used to identify the Individual.
- “Security Incident” shall mean the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.
- “Workforce” shall mean employees, volunteers, trainees, and other persons whose conduct, in the performance of work for Provider or Business Associate, is under the direct control of such entity, whether or not they are paid by Provider or Business Associate.
- Term and Termination
- The Term of this Agreement shall be effective as of the date first set forth above and shall terminate when Business Associate ceases to perform services for Provider.
- Upon Provider’ knowledge of a material breach of this Agreement by Business Associate, Provider may either:
- Provide a fifteen (15) day opportunity for Business Associate to cure the breach or end the violation and, if Business Associate does not cure the breach or end the violation within the fifteen (15) day period, Provider may terminate this Agreement and the Services Agreement;
- If Business Associate has breached a material term of this Agreement and cure is not, in Provider’ reasonable determination, possible, Provider may immediately terminate this Agreement; or
- If neither termination nor cure are, in Provider’ sole determination, feasible, Provider shall report the violation to the Secretary of the U.S. Department of Health and Human Services (the “Secretary”).
- Except as provided in paragraph 2.c.1 below of this Section, upon termination of this Agreement for any reason, Business Associate shall return or destroy all PHI received from Provider, or created or received by Business Associate on behalf of Provider. This provision shall also apply to PHI that is in the possession of subcontractors or agents of Business Associate. Neither Business Associate nor any subcontractor or agent of Business Associate shall retain copies of the PHI.
- If Business Associate reasonably determines that returning or destroying the PHI is infeasible, Business Associate shall provide to Provider notification of the conditions that make return or destruction infeasible. Upon Provider’s written consent, which shall not be unreasonably withheld, that return or destruction of PHI is infeasible, Business Associate may retain the PHI that is not feasible to return, for so long as it remains infeasible to return such PHI. In such event, Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI.
- The provisions of this Section 2.c shall survive termination of this Agreement.
- Obligations of Business Associate
- Business Associate shall comply with the use and disclosure provisions of the Final Privacy Rule in performing its obligations under any agreement for services with Provider, and shall not use or disclose PHI other than as permitted or required under this Agreement or as Required by Law.
- Business Associate shall implement and use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement.
- Business Associate shall implement administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of EPHI that it creates, receives, maintains, or transmits on behalf of Provider, and to otherwise comply with the Final Security Rule in performing Business Associate’s obligations under this Agreement.
- Business Associate shall use best efforts to secure PHI to make it unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary in its annual guidance issued under section 13402(h) of the HITECH Act, codified at 42 U.S.C. § 17932(h).
- Business Associate shall mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this Agreement.
- Business Associate shall, within five (5) days, report to Provider any use or disclosure of PHI not provided for by this Agreement of which it becomes aware, including, but not limited to, any Security Incident and any unauthorized acquisition, access, use, or disclosure of PHI.
- Business Associate shall develop policies and procedures to both detect and report Breaches of PHI to Provider. Copies of such policies and procedures shall be made available to Provider upon its Request.
- Business Associate shall, following the discovery of a Breach of PHI, notify Provider of such Breach.
- Business Associate shall provide initial notice of the Breach no later than five (5) days after the discovery of the Breach. A Breach shall be treated as discovered as of the first day on which the Breach is known to the Business Associate or, by exercising reasonable diligence, would have been known to the Business Associate. Business Associate shall be deemed to have knowledge of a Breach if the Breach is known, or by exercising reasonable diligence, would have been known, to any person, other than the person committing the Breach, who is an employee, officer, or other agent of Business Associate.
- The initial notice shall include, to the extent possible, the identification of each individual whose PHI has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, or disclosed during such Breach. Business Associate shall make best efforts to collect and provide to Provider as soon as possible any such information that Business Associate is unable to provide in the initial notice.
- Business Associate shall, following notification to Provider of a Breach of PHI, cooperate with Provider in providing any and all information required for Provider to comply with the breach notification provisions of section 13402 of the HITECH Act and the implementing regulations set forth in Subpart D of the Final Privacy Rule (45 C.F.R. § 164.400 et seq.) and any other applicable breach notification laws and regulations.
- At the request of Provider, Business Associate shall provide prompt access to PHI to Provider or, as directed by Provider, to an Individual, in order to meet the Individual’s right of access requirements in accordance with 45 CFR in accordance with 45 CFR § 164.524.
- Business Associate shall enter into legally binding agreements with each of its subcontractors and agents to ensure that any subcontractor or agent to whom Business Associate provides PHI received from, or created or received by, Business Associate on behalf of Provider agrees in writing to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information.
- Business Associate shall make any amendment to PHI that Provider directs, or to which Provider agrees pursuant to an Individual’s right to request amendment to his or her PHI in accordance with 45 CFR § 164.526.
- For purposes of the Secretary determining Provider’ compliance with the Final Privacy Rule and Final Security Rule, Business Associate shall make available to the Secretary, in a time and manner designated by the Secretary, its internal practices, books, and records (including policies and procedures), relating to the use and disclosure of PHI received from, or created or received by, Business Associate on behalf of Provider.
- Business Associate shall document such disclosures of PHI and information related to such disclosures as would be required for Provider to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with the Individual’s right to receive such accounting in accordance with 45 CFR § 164.528.
- Business Associate shall provide to Provider or an Individual, information collected in accordance with Section 3.n of this Agreement, to permit Provider to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with the Individual’s right to receive such accounting in accordance with 45 CFR § 164.528.
- Specific Use and Disclosure Provisions
- Except as otherwise limited by this Agreement, Business Associate may use PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate.
- Except as otherwise limited by this Agreement, Business Associate may disclose PHI for the proper management and administration of the Business Associate, provided that disclosures are Required By Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and be used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
- Except as otherwise limited by this Agreement, Business Associate may use PHI to provide Data Aggregation services to Provider as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B).
- Business Associate may use PHI to report violations of law to appropriate Federal and State authorities, consistent with 45 C.F.R. § 164.502(j)(1).
- Business Associate may disclose PHI to the extent required by the Information Blocking Rules.
- Notice
- Whenever, under the terms of this Agreement, written notice is required or permitted to be given by one party to the other party, such notice shall be made in writing and sent by traceable carrier to such party’s address indicated below. Notice shall be deemed effective upon receipt.
{Provider Name}
{Provider Email Address}
Willetts Technology, Inc dba PUPS Check In
446 N Mechanic Street
Cumberland, MD 21502
- Subpoenas. Each party shall provide written notice to the other party of any subpoena or other legal process it receives seeking PHI: (a) received by Business Associate from Covered Entity; (b) created or received by Business Associate on behalf of Covered Entity; or (c) otherwise relating to Business Associate’s services under the Services Agreement. Such written notice shall be provided within forty-eight (48) hours of receipt of a subpoena or other legal process.
- Indemnification
- Business Associate shall indemnify, hold harmless and defend Provider from and against any and all claims, losses, liabilities, costs, and other expenses resulting from, or relating to, the acts or omissions of Business Associate or by its employees, directors, officers, subcontractors, or agents in connection with the duties and obligations of Business Associate under this Agreement, including, without limitation, any reasonable expenses Provider incurs in notifying individuals of a Breach caused by Business Associate or its subcontractors or agents. The parties’ respective rights and obligations under this Section 6 shall survive termination of the Agreement.
- Miscellaneous
- This Agreement sets forth the entire understanding and agreement between the parties relating to the use and disclosure of PHI and shall be binding upon the parties and their respective successors, heirs and assigns. All prior negotiations, agreements, and understandings regarding the use and disclosure of PHI are superseded hereby.
- This Agreement may not be amended or revised except with the written consent of the parties. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for Provider to comply with the requirements of HIPAA.
- This Agreement shall be automatically assigned to and assumed by any legal successor or affiliate of the assignor who or which assumes responsibility for assignor’s obligations under any agreement between the parties concerning the services provided by Business Associate for or on behalf of Provider.
- This Agreement shall be construed and enforced pursuant to the laws of the state of Pennsylvania.
- The invalidity or unenforceability of any particular provision or part thereof of this Agreement shall not affect the remainder of this Agreement, and this Agreement shall be construed in all respects as if such invalid or unenforceable provision or part thereof had been omitted.
- This Agreement shall not create nor be deemed to create any relationship between Provider and Business Associate other than that of independent contractors contracting with each other solely for the purpose performing the Services. Neither Provider nor Business Associate shall assume or be responsible for the acts, omissions, liabilities, debts, or other obligations of the other party, other than as specifically set forth in this Agreement.
- Any failure or delay by either party in exercising any right under this Agreement shall not operate as a waiver of such party’s rights, nor shall any single or partial exercise of any right serve to preclude a subsequent exercise of such right.
- This Agreement shall be construed as broadly as necessary to implement and comply with HIPAA, the HITECH Act, and the Information Blocking Rules. Any ambiguity in this Agreement shall be resolved to permit Provider to comply with the Final Privacy Rule, the Final Security Rule and any other applicable provisions of HIPAA, the HITECH Act or the Information Blocking Rules.
- Notwithstanding anything to the contrary in this Agreement, nothing herein shall be construed to require Business Associate to take any action, the consequence of which could reasonably be foreseen to result in the waiver or loss of any legal right or ethical obligation of either Provider or Business Associate to keep any information confidential.
- This Agreement may be executed in one or more counterparts and each of such counterparts shall, for all purposes, be deemed to be an original, but all of such counterparts shall constitute one and the same instrument. The resulting instrument shall be binding upon all signatories hereof who sign below.
[Signature Page Follows]
IN WITNESS WHEREOF, the parties hereto have executed this Agreement as of the date first set forth above.