Business Associate Agreement

Last updated6/10/2021

To the extent that Covered Entity discloses Protected Health Information to Business Associate (or BusinessAssociate handles Protected Health Information on Covered Entity's behalf) in connection with services or products provided to Covered Entity, or as otherwise required or allowed by the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996, codified at42 U.S.C. §1320d through d-9, as amended, ("HIPAA"), and only to the extent required by law, CoveredEntity and Business Associate agree to the following terms and conditions, which are intended to comply with HIPAA, the Health Information Technology forEconomic and Clinical Health Act ("HITECH Act") and their implementing regulations:

 

1.  General Terms and Conditions

(a) "BA Agreement" shall mean thisHIPAA Business Associate Agreement.

(b) "Business Associate" shall generally have the same meaning as the term "business associate" at45 C.F.R. §160.103, and in reference to the party to this BA Agreement, shall mean Nextech Systems LLC.

(c) "Covered Entity" shall generally have the same meaning as the term "covered entity" at 45C.F.R. §160.103, and in reference to the party to this BA Agreement, shall mean the entity identified on the Purchase Agreement.

(d) "HIPAA Rules" shall mean thePrivacy, Security, Breach Notification, and Enforcement Rules at 45 C.F.R. Part160 and Part 164.

(e) Service Agreement" shall mean the separate agreement(s) between the parties in which Business Associate performs functions or activities on behalf of Covered Entity.

(f) Other definitions: The following terms used in this BA Agreement shall have the same meaning as those in the HIPAA Rules: Breach, Data Aggregation, Designated RecordSet, Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Protected Health Information (to the extent suchProtected Health Information is received, used, disclosed, accessed or maintained by Business Associate), Required By Law, Secretary, SecurityIncident, Subcontractor, Unsecured Protected Health Information, and Use. Other terms shall have the definitions set forth in this BA Agreement.

 

2. Obligations and Activities of Business Associate

(a)Business Associate agrees to not Use orDisclose Protected Health Information other than as permitted or required by this BA Agreement, as Required By Law, or as contemplated by the ServiceAgreement.

(b)Business Associate agrees to use appropriate safeguards, including compliance with Subpart C of 45 C.F.R. Part164 with respect to electronic Protected Health Information, to prevent Use orDisclosure of the electronic Protected Health Information other than as permitted by this BA Agreement.

(c) Business Associate agrees to report toCovered Entity's Privacy Official any Use or Disclosure of Protected HealthInformation not provided for by this BA Agreement of which it becomes aware, including Breaches of Unsecured Protected Health Information as required by 45C.F.R. §164.410, and any Security Incident of which it becomes aware. For reports of incidents constituting aBreach, the report shall include, to the extent available, the identification of each individual whose Unsecured Protected Health Information has been, or is reasonably believed by Business Associate to have been, accessed, acquired, orDisclosed during such Breach. SecurityIncidents that do not result in any unauthorized access, use, disclosure,modification, destruction of information or interference with system operationswill be reported in the aggregate upon written request of Covered Entity in amanner and frequency mutually acceptable to the parties. Business Associate hereby reports to CoveredEntity that incidents including, but not limited to, ping sweeps or othercommon network reconnaissance techniques, attempts to log on to a system withan invalid password or username, and denial of service attacks that do notresult in a server being taken off line, may occur from time to time will only be reported in the aggregate.

(d) In accordance with 45 C.F.R.§§164.502(e)(1)(ii) and 164.308(b)(2), if applicable, Business Associate agreesto ensure that subcontractors that create, receive, maintain, or transmitProtected Health Information on behalf of Business Associate agree to the same restrictions, conditions and requirements that apply through this BA Agreementto Business Associate with respect to such information.

(e) To the extent Business Associate hasProtected Health Information in an existing Designated Record Set, and only tothe extent required by HIPAA, Business Associate agrees to make availableProtected Health Information in a Designated Record Set, to Covered Entity asnecessary to satisfy Covered Entity's obligations under 45 C.F.R. §164.524. TheParties agree and acknowledge that, while both entities may have to respond toa request pursuant to 45 C.F.R. §164.524(d)(3), it is Covered Entity'sresponsibility to respond initially to all such requests and, pursuant to thisAgreement, to notify Business Associate if Covered Entity has told anindividual to contact Business Associate directly.

(f) Business Associate agrees to makeProtected Health Information available for purposes of any amendment(s) toProtected Health Information in its possession contained in a Designated RecordSet as agreed to by Covered Entity pursuant to 45 C.F.R. §164.526 or take othermeasures as necessary to satisfy Covered Entity's obligations under 45 C.F.R.§164.526. The Parties agree andacknowledge that it is Covered Entity's responsibility to respond to all suchrequests and to notify Business Associate of any amendment or refusal to amend.

(g) Business Associate agrees to maintainand make available the information required to provide an accounting ofdisclosures to Covered Entity as necessary to satisfy Covered Entity'sobligations under 45 C.F.R. §164.528(b), subject to the exceptions in 45 C.F.R.§164.528(a). The Parties agree andacknowledge that it is Covered Entity's responsibility to respond to all suchrequests. As disclosures must be made for the period six (6) years prior to therequest or such shorter period if requested by an individual, the Parties agreethat the responsibility of Business Associate to provide this information shallnot extend beyond termination of this or a subsequent BA Agreement.

(h) To the extent Business Associate is to carry out one or more of Covered Entity's obligations under Subpart E of 45C.F.R. Part 164 of the HIPAA Rules, Business Associate agrees to comply with the requirements of Subpart E that apply to Covered Entity in the performance of such obligation(s).

(i)        Business Associate agrees to makeProtected Health Information of Covered Entity’s patients available whenever such patients participate in a third party program requiring access to patient data.

 

(j)        Business Associate agrees to make its internal practices, books, and records related to Business Associate's use and disclosure of Protected Health Information received from Covered Entity available to the Secretary for purposes of determining compliance with theHIPAA Rules.

 

3. PermittedUses and Disclosures of Protected Health Information by Business Associate

(a) Business Associate may use or discloseProtected Health Information as necessary to perform the services set forth inthe Service Agreement, as permitted in this BA Agreement and the ServiceAgreement, and as otherwise permitted by the HIPAA Rules.

(b) Business Associate may Use or DiscloseProtected Health Information as Required By Law.

(c) BusinessAssociate agrees to make uses and disclosures and requests for Protected HealthInformation consistent with the requirements in the HIPAA Rules regardingMinimum Necessary uses and disclosures. Covered Entity represents and warrants that its Minimum Necessarypolicies and procedures and the Notice of Privacy Practices are consistentwith, and not more stringent than, the HIPAA Rules or, to the extent thatCovered Entity's Notice of Privacy Practices or policies and proceduresregarding the Minimum Necessary requirements of the HIPAA Rules imposeadditional particular restrictions on Business Associate, Covered Entity agreesto provide such policies to Business Associate in writing prior to requestingthat Business Associate perform a particular function or activity on behalf ofCovered Entity that would be affected by such policies and procedures.

(d) Business Associate may createde-identified information that may be used and disclosed by Business Associateas Business Associate deems appropriate, provided that the information isde-identified in accordance with the HIPAA Rules.

(e) Business Associate may use ProtectedHealth Information to provide Data Aggregation services to Covered Entity.Business Associate may also use Protected Health Information to create, use anddisclose a Limited Data Set consistent with the HIPAA Rules.

(f) Business Associate may use and discloseProtected Health Information to report violations of law to appropriate Federaland State authorities, in a manner consistent with the HIPAA Rules.

(g) Business Associate may not use or disclose Protected Health Information in a manner that would violate Subpart Eof 45 C.F.R. Part 164 if done by Covered Entity, except for the specific usesand disclosures set forth below.

(h) Business Associate may use ProtectedHealth Information for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate.

(i) Business Associate may discloseProtected Health Information for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate, provided that the disclosures are Required By Law or Business Associate obtains reasonable assurances from the person to whom the informationis disclosed that the information will remain confidential and used or furtherdisclosed only as Required By Law or for the purposes for which it wasdisclosed to the person, and the person notifies Business Associate of anyinstances of which it is aware in which the confidentiality of the informationhas been breached.

(j) Business Associate may disclose Protected Health Information to third parties on a continuing basis at therequest of Covered Entity’s patients, including where patients have a standingrequest to Covered Entity to transfer such information or where patients participate in any type of third party program and authorize transmission oftheir data.

 

4. Obligations of Covered Entity

(a) Covered Entity shall notify Business Associate, in writing and in a timely manner, of any limitation(s) in the Notice of Privacy Practices of Covered Entity under 45 C.F.R. §164.520, and itspolicies regarding the "minimum necessary" requirements in 45 C.F.R.§164.502(b) to the extent that such limitation may affect Business Associate's Use or Disclosure of Protected Health Information, and to notify BusinessAssociate of any material changes thereof.

(b) Covered Entity shall notify Business Associate, in writing and in a timely manner, of any changes in, or revocation of, permission by Individual to Use or Disclose Protected Health Information,if such changes may affect Business Associate's Use or Disclosure of ProtectedHealth Information.

(c) Covered Entity shall notify Business Associate, in writing and in a timely manner, of any restriction on the Use and/or Disclosure of Protected Health Information to which Covered Entity has agreed or is required to abide by under 45 C.F.R. §164.522, to the extent that such restriction may affect Business Associate's Use or Disclosure of ProtectedHealth Information.

(d) Covered Entity agrees to comply with all applicable state and federal privacy and security laws and regulations, including the HIPAA Rules. CoveredEntity agrees to obtain any patient authorizations or consents that may be required under state or federal law or regulation in order to (i) transmitProtected Health Information to Business Associate; (ii) enable BusinessAssociate and its subcontractors to Use and Disclose Protected HealthInformation as contemplated by this BA Agreement and the Service Agreement; and(iii) allow Business Associate tot ransfer patient data to third parties if patients participate in third party programs.

(e) Covered Entity may not ask BusinessAssociate to Use or Disclose Protected Health Information in any manner thatwould not be permissible under applicable laws and rules, including the HIPAARules, if done by Covered Entity, except that Business Associate may use or disclose Protected Health Information for its proper management and administration, data aggregation, and other activities specifically permitted by this BA Agreement.

(f) Covered Entity will notify BusinessAssociate within twenty-four (24) hours of directing patients to contactBusiness Associate directly for access to their data.

(g) Covered Entity agrees to notify BusinessAssociate within ten (10) business days of any amendment to patient records.

(h) Covered Entity agrees to notify BusinessAssociate within ten (10) business days of receiving a patient request for an accounting of disclosures and the period covered by such request.

 

5. Limitationof Liability

(a) Limitation of Liability: IN NO EVENT SHALL NEXTECH BE LIABLE FOR ANY SPECIAL, INCIDENTAL, INDIRECT, PUNITIVE OR CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF BUSINESS PROFITS, BUSINESS INTERRUPTION, LOSS OF BUSINESS INFORMATION,3RD PARTY COST, PRACTICE STAFF TIME COSTS OR ANY OTHER PECUNIARY LOSS), WHETHER FORESEEABLE OR NOT FORESEEABLE AND WHETHER ARISING OUT OF BREACH OF ANY EXPRESS OR IMPLIED WARRANTY, BREACH OF CONTRACT, NEGLIGENCE, MISREPRESENTATION, STRICT LIABILITY IN TORT OR OTHERWISE, AND WHETHER BASED ON THIS AGREEMENT OR ANY TRANSACTION PERFORMED OR UNDERTAKEN UNDER OR IN CONNECTION WITH THIS AGREEMENT.

(b) Remedies: THE CUSTOMER AGREES THAT NEXTECH'S TOTAL LIABILITY TO THE CUSTOMER OR ANY THIRD PARTY FOR DAMAGES, REGARDLESS OF THE FORM OF ACTION, SHALL, IN ANY EVENT, NOT EXCEED THE FEES PAID TO NEXTECH DURING THE PRECEDING TWELVE (12) MONTHS FOR ANY SERVICES PERFORMED IN CONNECTION WITH THE SERVICES AGREEMENT.

(c) Applicable Law:Notwithstanding the foregoing, this Section 5 will not apply when and to the limited extent that applicable law specifically requires liability despite the foregoing exclusions and limitations.

(d) Survival. The provisions of this section 5 shall survive termination of this BA Agreement.


6. Survivaland Termination

(a) Term and Survival

Except as otherwise provided herein, the term of this BA Agreement shall coincide with the Service Agreement and shall be terminable in accordance with the termination provisions of the Service Agreement, or the date either party terminates for cause, as authorized in paragraph (b)of this Section, whichever is sooner.

(b) Termination for Cause

Upon a party's knowledge of a material breach by the other, the non-breaching party shall provide written notice to the breaching party and may terminate this BAAgreement if the breaching party does not cure the breach or end the violation within 30 days of receipt of such notice.

(c) Effect of Termination

(i) Except as provided below in Subsection 6(c)(ii) ofthis BA Agreement, upon termination of this BA Agreement, for any reason, Business Associate shall return or destroy all Protected Health Informationreceived from Covered Entity, or created or received by Business Associate onbehalf of Covered Entity, that Business Associate still maintains in any form.Business Associate shall retain no copies of the Protected Health Information.

(ii)In the event that Business Associate determines that it needs to retain Protected Health Information in order to Use or Disclose Protected Health Information for its own management and administration or to carry out its legal responsibilities, Business Associate may retain such Protected Health Information. Upon termination of this BA Agreement for any reason, BusinessAssociate, with respect to Protected Health Information received from CoveredEntity, or created, maintained, or received by Business Associate on behalf ofCovered Entity, shall:

  1. Retain only that Protected HealthInformation which is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities;
  2.  Return or destroy the remainingProtected Health Information that Business Associate still maintains in any form;
  3. Continue to use appropriate safeguards to comply with Subpart C of 45 C.F.R. Part 164 with respect to electronicProtected Health Information to prevent Use or Disclosure of the ProtectedHealth Information, other than as provided for in this Section, for as long asBusiness Associate retains the Protected Health Information;
  4. Not Use or Disclose the Protected HealthInformation retained by Business Associate other than for the purposes for which such Protected Health Information was retained and subject to the same conditions set out at Subsections 3(h)-(i)above which applied prior to termination; and
  5. Return to Covered Entity or destroy theProtected Health Information retained by Business Associate when it is no longer needed by Business Associate for its proper management and administration or to carry out its legal responsibilities.

(d) Business Associate's obligations under thisSection 6 shall survive the termination of this BA Agreement.

 

7. Interpretation and Amendment of this BA Agreement

A regulatory reference in this BAAgreement to a section of the HIPAA Rules means the section as in effect or as amended. Any ambiguity or inconsistency in this BA Agreement shall be interpreted to permit compliance with the HIPAARules. This BA Agreement supersedes any and all prior representations, understandings, or agreements, written or oral, concerning the subject matter herein, including conflicting provisions of the ServiceAgreement. The parties hereto agree to negotiate in good faith to amend this BA Agreement from time to time as is necessary for compliance with the requirements of HIPAA or any other applicable law and for Business Associate to provide services toCovered Entity. However, no change, amendment, or modification of this BA Agreement shall be valid unless it is set forth in writing and signed by both parties. When provisions of this BA Agreement are different than those in theHIPAA Rules, but are nonetheless permitted by the HIPAA Rules, the provisions of this BA Agreement shall control. Any ambiguity in this BA Agreement shall be resolved to permit the parties to comply with the HIPAA Rules.

 

8. No Third Party Rights/Independent Contractors

The terms and conditions of this BA Agreement are intended for the sole benefit of Business Associate and Covered Entity and do not create any third party rights. The parties declare that they are independent contractors and not agents of each other, except as otherwise required by law or regulation.

 

9. Accessto Books and Records

To theextent required by law, upon the written request of the Secretary of Health andHuman Services, the Comptroller General or any of their duly authorizedrepresentatives, the Parties shall make available those contracts, books,documents and records necessary to verify the nature and extent of the costs ofproviding products and services under this BA Agreement. Such inspection shallbe available for up to four (4) years after the provision of such services. IfBusiness Associate carries out any of the duties of this Agreement through asubcontract with a value of $10,000.00 or more over a twelve (12) month periodwith a related individual or organization, Business Associate agrees to includethis requirement in any such subcontract. No attorney-client,accountant-client, or other legal privilege will be deemed to have been waivedby the Parties by virtue of this provision.

 

10. Notices

Any notice required or permitted bythis BA Agreement to be given or delivered shall be in writing and shall bedeemed given or delivered if delivered in person, or sent by courier orexpedited delivery service, or sent by registered or certified mail, postageprepaid, return receipt requested, or sent by facsimile (if confirmed), to theaddress set forth below the Party’s signature. Each party may change its address for purposes of this BA Agreement bywritten notice to the other party.

11. Governing Law

To the extent not preempted byfederal law, the BA Agreement shall be governed and construed in accordancewith the state laws governing the Service Agreement, without regard toconflicts of law provisions that would require application of the law of anotherstate.

 

12. Binding Nature and Benefits

This BA Agreement binds and benefitsthe parties, and their respective successors, and their permitted assigns.

 

13. Severability

Whenever possible, each provision of this BA Agreement shall beinterpreted so as to be effective and valid under applicable law. If any provision of this BA Agreement shouldbe prohibited or found invalid under applicable law, such provision shall beineffective to the extent of such prohibition or invalidity withoutinvalidating the other of such provision or the remaining provisions of this BAAgreement; provided, however, that if any such invalid provision is material toan extent that a party would not have entered into the BA Agreement absent suchprovision, then that party may terminate the BA Agreement upon ninety (90)calendar days' prior written notice to the other party.