This Business Associate Agreement, dated as of the date last signed below (“BA Agreement”), supplements and is made a part of the Membership Agreement (as deﬁned below) by and between the Member (“Covered Entity”) and Arlozorov9, Inc. (“Alma” or “Business Associate”). Covered Entity and Business Associate may be referred to herein collectively as the “Parties” or individually as “Party.”
WHEREAS, Covered Entity and Business Associate are parties to the Membership Agreement pursuant to which Business Associate provides certain services to Covered Entity. In connection with Business Associate’s services, Business Associate creates, receives, maintains or transmits Protected Health Information from or on behalf of Covered Entity, which information is subject to protection under the Federal Health Insurance Portability and Accountability Act of 1996, (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act of 2009 (the “HITECH Act”), and related regulations promulgated thereunder (“HIPAA Regulations”); and
WHEREAS, in light of the foregoing and the requirements of HIPAA, the HITECH Act, and HIPAA Regulations, the Parties agree to be bound by the following terms and conditions.
NOW, THEREFORE, for good and valuable consideration, the receipt and sufﬁciency of which is hereby acknowledged, the Parties agree as follows:
- General. Terms used, but not otherwise deﬁned, in this BA Agreement shall have the same meaning given to those terms by HIPAA, the HITECH Act and HIPAA Regulations as in effect or as amended from time to time.
- Membership Agreement. “Membership Agreement” shall mean any present or future agreements, either written or oral, between Covered Entity and Business Associate under which Business Associate provides services to Covered Entity which involve the use or disclosure of Protected Health Information. The Membership Agreement is amended by and incorporates the terms of this BA Agreement.
Obligations and Activities of Business Associate.
- Use and Disclosure. Business Associate agrees not to use or disclose Protected Health Information other than as permitted or required by the Membership Agreement, this BA Agreement or as Required by Law. Business Associate shall comply with the provisions of this BA Agreement relating to privacy and security of Protected Health Information and all present and future provisions of HIPAA, the HITECH Act and HIPAA Regulations that relate to the privacy and security of Protected Health Information and that are applicable to Covered Entity and/or Business Associate.
- Appropriate Safeguards. Business Associate agrees to use appropriate safeguards and comply, where applicable, with the Security Rule to prevent the use or disclosure of the Protected Health Information other than as provided for
by this BA Agreement. Without limiting the generality of the foregoing sentence, Business Associate will:
Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the conﬁdentiality, integrity and availability of Electronic Protected Health Information as required by the Security Rule; and
Ensure that any Subcontractor to whom Business Associate provides Electronic Protected Health Information agrees in writing to implement reasonable and appropriate safeguards and comply, where applicable, with the Security Rule to protect Electronic Protected Health Information and comply with the other requirements of Section 2(a) above.
- Reporting. Business Associate agrees to promptly, and at most within twenty (20) business days, report to Covered Entity any of the following:
- Any use or disclosure of Protected Health Information not permitted by this BA Agreement of which Business Associate becomes aware.
- Any Security Incident of which Business Associate becomes aware.
- The discovery of a Breach of Unsecured Protected Health Information.
A Breach is considered “discovered” as of the ﬁrst day on which the Breach is known, or reasonably should have been known, to Business Associate or any employee, ofﬁcer or agent of Business Associate, other than the individual committing the Breach. Any notice of a Security Incident or Breach of Unsecured Protected Health Information shall include the identiﬁcation of each Individual whose Protected Health Information has been, or is reasonably believed by Business Associate to have been, accessed, acquired or disclosed during such Security Incident or Breach as well as any other relevant information regarding the Security Incident or Breach. Any such notice shall be directed to Covered Entity pursuant to the notice provisions of the Membership Agreement or to the Privacy Ofﬁcer of Covered Entity.
- Subcontractors. Business Associate shall ensure that any Subcontractor to whom Business Associate provides Protected Health Information received from, or created, maintained, received or transmitted by, Business Associate on behalf of Covered Entity agrees in writing to substantially the same restrictions and conditions that apply through this BA Agreement to Business Associate.
- Designated Record Sets. Business Associate shall not possess or maintain Protected Health Information in a Designated Record Set.
- Access to Books and Records. Business Associate agrees to make its internal practices, books, and records, including policies and procedures and Protected Health Information, relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of, Covered Entity available to the Secretary, within ﬁve (3) business days of such request or in the time and manner otherwise designated by the Secretary, for purposes of the Secretary determining Covered Entity’s compliance with the Privacy Rule.
- Accountings. Business Associate agrees to document such disclosures of Protected Health Information and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with HIPAA, HIPAA Regulations and the HITECH Act.
- Requests for Accountings. Business Associate agrees to provide to Covered Entity or an Individual, within twenty (20) days of a request by Covered Entity, information collected in accordance with Section 2(h) of this BA Agreement, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with HIPAA, HIPAA Regulations and the HITECH Act.
Permitted Uses and Disclosures by Business Associate.
- Membership Agreement. Except as otherwise limited in this BA Agreement, Business Associate may use or disclose Protected Health Information to perform functions, activities, or services for, or on behalf of, Covered Entity as speciﬁed in the Membership Agreement, provided that such use or disclosure would not violate HIPAA, HIPAA Regulations or the HITECH Act if done by Covered Entity or the minimum necessary policies and procedures of the Covered Entity.
- Use for Administration of Business Associate. Except as otherwise limited in this BA Agreement, Business Associate may use Protected Health Information for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate.
Disclosure for Administration of Business Associate. Except as otherwise limited in this BA Agreement, Business Associate may disclose Protected Health Information for the proper management and administration of the Business Associate, provided that (i) disclosures are Required by Law, or (ii) Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain conﬁdential and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and the person notiﬁes the Business Associate of any instances of which it is aware in which the conﬁdentiality of the information has been breached.
Permissible Requests by Covered Entity. Except as set forth in Section 3 of this BA Agreement, Covered Entity shall not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under the Privacy Rule if done by Covered Entity.
Term and Termination.
- Term. This BA Agreement shall be effective as of the date of this BA Agreement and shall terminate when all of the Protected Health Information provided by Covered Entity to Business Associate, or created, received or maintained by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy Protected Health Information, protections are extended to such information, in accordance with the termination provisions in this Section.
- Termination for Cause. Upon Covered Entity’s knowledge of a material breach by Business Associate of the terms of this BA Agreement, Covered Entity shall provide an opportunity for Business Associate to cure the breach or end the violation. If Business Associate does not cure the breach or end the violation within the time speciﬁed by Covered Entity, Covered Entity shall terminate: (i) this BA Agreement; and (ii) all of the provisions of the Membership Agreement that involve the use or disclosure of Protected Health Information; or
- Effect of Termination.
- Except as provided in Section 5(c)(ii), upon termination of this BA Agreement, for any reason, Business Associate shall return or destroy all Protected Health Information received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity. This provision shall apply to Protected Health Information that is in the possession of Subcontractors or agents of Business Associate. Business Associate shall retain no copies of the Protected Health Information.
- In the event that Business Associate determines that returning or destroying the Protected Health Information is infeasible, Business Associate shall provide to Covered Entity notiﬁcation of the conditions that make return or destruction infeasible. Upon mutual agreement of the Parties that return or destruction of Protected Health Information is infeasible, Business Associate shall extend the protections of this BA Agreement to such Protected Health Information and limit further uses and disclosures of such Protected Health Information to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such Protected Health Information.
- No HIPAA Agency Relationship. It is not intended that an agency relationship (as deﬁned under the Federal common law of agency) be established hereby expressly or by implication between Covered Entity and Business Associate for purposes of liability under HIPAA, HIPAA Regulations, or the HITECH Act. No terms or conditions contained in this BA Agreement shall be construed to make or render Business Associate an agent of Covered Entity.
- Regulatory References. A reference in this BA Agreement to a section in HIPAA, HIPAA Regulations, or the HITECH Act means the section as in effect or as amended or modiﬁed from time to time, including any corresponding provisions of subsequent superseding laws or regulations.
- Amendment. The Parties agree to take such action as is necessary to amend the Membership Agreement from time to time as is necessary for Covered Entity to comply with the requirements of HIPAA, the HIPAA Regulations and the HITECH Act.
- Assignment. This BA will automatically be assigned to the relevant new parties in the event of the assignment of the Membership Agreement.
- Survival. The respective rights and obligations of Business Associate under Sections 5(c) and 6 of this BA Agreement shall survive the termination of the Membership Agreement or this BA Agreement.
- Interpretation. Any ambiguity in this BA Agreement shall be resolved to permit Covered Entity to comply with HIPAA, HIPAA Regulations and the HITECH Act.
- Incorporation. The terms of this BA Agreement are hereby incorporated into the Membership Agreement. In the event of a conﬂict between the terms of this BA Agreement and the terms of the Membership Agreement, the terms of this BA Agreement shall prevail. The terms of the Membership Agreement which are not modiﬁed by this BA Agreement shall remain in full force and effect in accordance with the terms thereof. Governing Law. This Agreement and all matters relating to the meaning, validity or enforceability thereof and the performance of services hereunder shall be governed by the laws of New York. Entire Agreement. This BA Agreement and the Membership Agreement including its attachments, terms incorporated by reference, and policies made available by Alma to Member with prior notice from time to time constitutes the entire agreement between the Parties with respect to the services to be performed by Alma for Member, and this BA Agreement supersedes and replaces any former business associate agreement or addendum entered into by the Parties. Amendment. None of the provisions of this Agreement may be waived, changed or altered except by an instrument in writing signed by both Parties. No Assignment. You may not transfer or otherwise assign any of your rights or obligations under this Agreement (including by operation of law) without our prior consent. We may assign this Agreement without your consent.