HIPAA Business Associate Agreement
This Business Associate Agreement (“BAA”) is entered into by and between Alara Imaging, Inc. (“Business Associate”) and Health Care Provider (“Covered Entity”) and is effective as of the date the parties enter into the Alara Imaging Health Care Provider Terms of Service (“Effective Date”). Business Associate and Covered Entity may be referred to herein collectively as the “Parties” or individually as a “Party.” This BAA is incorporated into and made part of the Alara Imaging Health System Partner Terms of Service (the “Services Agreement”).
1. Scope; Definitions.
(a) This BAA shall be effective to the extent Business Associate has agreed to perform Services that require Business Associate to create, receive, maintain, or transmit PHI pursuant to the Services Agreement.
(b) All capitalized terms used but not defined herein shall have the meaning set forth in the HIPAA Rules or the Services Agreement, as applicable; provided, however, that in the event of a conflict between defined terms, the HIPAA Rules shall control.
(c) The following terms are specifically defined as follows:
(i) “Business Associate” has the same meaning as the term “business associate” at 45 CFR 160.103, and, subject to Section 1(a), in reference to the Party to this BAA, shall mean Alara.
(ii) “Covered Entity” has the same meaning as the term “covered entity” at 45 CFR 160.103, and in reference to the Party to this BAA, shall mean the Health Care Provider entering into the Services Agreement.
(iii) “Electronic Protected Health Information” or “ePHI” has the same general meaning as the term “electronic protected health information” at 45 C.F.R. § 160.103, but for purposes of this BAA is limited to the ePHI created, received, transmitted, or maintained by Business Associate for or on behalf of Covered Entity.
(iv) “HIPAA Rules” means the Health Insurance Portability and Accountability Act of 1996, the Health Information Technology for Economic and Clinical Health Act, and the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164, each as amended from time to time.
(v) “Protected HealthInformation” or “PHI” has the same general meaning as the term “protected health information” at 45 C.F.R. §160.103, but for purpose of this BAA is limited to the PHI created, received, transmitted, or maintained by Business Associate for or on behalf of CoveredEntity.
(vi) “Services” means the services that Business Associate provides to Covered Entity pursuant to the Services Agreement.
(vii) “Unsuccessful Security Incidents” means, without limitation, pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denial of service attacks, and any combination of the above, so long as no such incident results in unauthorized access, Use or Disclosure of Covered Entity’s ePHI.
2. Obligations and Activities ofBusiness Associate.
(a) Business Associate agrees not to Use or Disclose PHI received or created by Business Associate except as permitted by this BAA, the Services Agreement, or as Required by Law.
(b) Business Associate agrees to use appropriate safeguards, and to comply with Subpart C of45 CFR Part 164 with respect to ePHI, to prevent Use or Disclosure of PHI other than as provided for by this BAA, the Services Agreement, or as Required by Law.
(c) Business Associate agrees to report to Covered Entity any Use or Disclosure of PHI not provided for by this BAA of which it becomes aware, including a Breach of Unsecured PHI as required under 45 C.F.R. §164.410, and any Security Incident of which it becomes aware. Notwithstanding the foregoing, the Parties acknowledge and agree that this Section 2(c) constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence or attempts of Unsuccessful Security Incidents for which no additional notice to Covered Entity shall be required.
(d) Business Associate agrees, in accordance with 45 CFR 164.502(e)(1)(ii) and164.308(b)(2), if applicable, to obtain from any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate pursuant to this BAA and the Services Agreement, reasonable written assurances that the Subcontractor will adhere to the restrictions and conditions that apply to Business Associate pursuant to this BAA with respect to such PHI.
(e) Business Associate agrees to make available, at the request of Covered Entity, PHI that is maintained in a Designated Record Set (if any) as necessary to allow CoveredEntity to satisfy its obligations under 45 C.F.R. §164.524.
(f) Business Associate agrees to make amendment(s) to PHI maintained in a Designated Record Set (if any), as requested by the Covered Entity, pursuant to 45 C.F.R.§164.526, or take other measures as reasonably necessary to enable Covered Entity to satisfy its obligations under 45 C.F.R. §164.526.
(g) Business Associate agrees to maintain and make available to Covered Entity the information required to provide an accounting of Disclosures, as reasonably necessary to satisfy Covered Entity’s obligations under 45 C.F.R.§164.528.
(h) For clarity, with respect to the forgoing Sections 2(e)-(g), in no case shall Business Associate be responsible for responding directly to any Individual who submits a request to Business Associate pursuant to 45 CFR §§ 164.524 -164.528; provided, however, that Business Associate shall promptly forward such requests to Covered Entity in accordance with Sections 2(e)-(g).
(i) To the extent that Business Associate is to carry out one or more of Covered Entity’s obligation(s) under Subpart E of 45 CFR Part 164, Business Associate agrees to comply with the requirements of Subpart E that apply to Covered Entity in the performance of such obligation(s).
(j) Business Associate agrees to make its internal practices, books, and records, regarding the Use and Disclosure of PHI created or received by Business Associate for or on behalf of the Covered Entity available to the Secretary for purposes of the Secretary determining compliance with the HIPAA Rules.
3. Permitted Uses and Disclosures by Business Associate.
(a) Business Associate may Use or Disclose PHI as necessary to perform the Services set forth in Service Agreement or as Required by Law.
(b) Business Associate may Use PHI for its proper management and administration, or to carry out its legal responsibilities.
(c) Business Associate may Disclose PHI for its proper management and administration, or to carry out its legal responsibilities, provided the Disclosures are (i) Required by Law, or (ii) Business Associate obtains reasonable assurances from the person to whom the information is Disclosed that the information will remain confidential and Used or further Disclosed only as Required by Law or for the purposes for which it was Disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
(d) Business Associate may provide Data Aggregation services relating to the Health Care Operations of Covered Entity.
(e) Business Associate may Use PHI to de-identify the information in accordance with 45 CFR164.514(a)-(c).
4. Obligations of Covered Entity.
(a) During the Term of this BAA, Covered Entity shall:
(i) Notify Business Associate of any limitations in its Notice of Privacy Practices, to the extent that such limitation may affect Business Associate’s Use or Disclosure of PHI;
(ii) Notify Business Associate of any changes in, or revocation of, permission by an Individual to Use or Disclose PHI, to the extent that such changes may affect Business Associate’s Use or Disclosure of PHI;
(iii) Not request Business Associate to Use or Disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity (other than as permitted pursuant to Sections 3(b)-(d) above); and
(iv) Comply with all of the HIPAA Rule requirements applicable to Covered Entity.
5. Term and Termination.
(a) Term. The Term of this BAA shall commence on the Effective Date and, except for the rights and obligations set forth in this BAA specifically surviving termination, shall terminate upon the termination or expiration of the Services Agreement, unless otherwise earlier terminated for cause in accordance with this Section 5.
(b) Termination by Covered Entity. In addition to any termination provisions set forth in the applicable Services Agreement, Covered Entity may terminate this BAA if Covered Entity determines, in good faith and after reasonable investigation, that Business Associate has violated a material term of this BAA, and Business Associate has failed to cure such material breach or end the violation within thirty (30) days of notice by Covered Entity to Business Associate of such alleged breach.
(c) Termination by Business Associate. In addition to and not withstanding any termination provisions set forth in the applicable Services Agreement, Business Associate may terminate this BAA if Business Associate determines, in good faith and after reasonable investigation, that Covered Entity has violated a material term of this BAA, and Covered Entity has failed to cure such material breach or end the violation within thirty (30) days of notice by Business Associate to Covered Entity of such alleged breach.
(d) Effect of Termination. Upon termination or expiration of this BAA for any reason, Business Associate shall:
(i) Retain only that PHI which is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities (if any);
(ii) Return to Covered Entity or destroy the remaining PHI that Business Associate still maintains in any form that is not necessary to carry out Section 5(d)(i);
(iii) Continue to use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to ePHI to prevent Use or Disclosure of the PHI, other than as provided for in this Section 5(d), for as long as Business Associate retains the PHI;
(iv) Not Use or Disclose the PHI retained by Business Associate other than for the purposes for which such PHI was retained and subject to the same conditions set out at Sections 3(b)-(d) which applied prior to termination; and
(v) Return to Covered Entity or destroy the PHI retained by Business Associate when it is no longer needed by Business Associate for its proper management and administration, or to carry out its legal responsibilities.
6. Change in Law.
In the event a change in the HIPAA Rules or any other state or federal laws require the Parties to amend this BAA, the Parties agree to negotiate such amendment in good faith, provided that either Party may terminate this BAA upon notice if the Parties are unable to mutually agree upon and execute such amendment.