Alara - HIPAA Business Associate Agreement
This Business Associate Agreement (“BAA”) is entered into by and between Alara Imaging, Inc. (“Business Associate”) and Health Care Provider (“Covered Entity”) and is effective as of the date of the last signature of the Parties below (“Effective Date”). Business Associate and Covered Entity may be referred to herein collectively as the “Parties” or individually as a “Party.” This BAA is entered into by Business Associate and Covered Entity in conjunction with the Alara Imaging Health Care Provider Terms of Service (the “Services Agreement”).
1. Scope; Definitions.
1.1 This BAA shall be effective to the extent Business Associate has agreed to perform Services that require Business Associate to create, receive, maintain, or transmit PHI pursuant to the Services Agreement.
1.2 All capitalized terms used but not defined herein shall have the meaning set forth in the HIPAA Rules or the Services Agreement, as applicable; provided, however, that in the event of a conflict between defined terms, the HIPAA Rules shall control.
1.3 The following terms are specifically defined as follows:
(a) “Business Associate” has the same meaning as the term “business associate” at 45 CFR 160.103, and, subject to Section 1(a), in reference to the Party to this BAA, shall mean Alara.
(b) “Covered Entity” has the same meaning as the term “covered entity” at 45 CFR 160.103, and in reference to the Party to this BAA, shall mean the Health Care Provider entering into the Services Agreement.
(c) “Electronic Protected Health Information” or “ePHI” has the same general meaning as the term “electronic protected health information” at 45 C.F.R. § 160.103, but for purposes of this BAA is limited to the ePHI created, received, transmitted, or maintained by Business Associate for or on behalf of Covered Entity.
(d) “HIPAA Rules” means the Health Insurance Portability and Accountability Act of 1996, the Health Information Technology for Economic and Clinical Health Act, and the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164, each as amended from time to time.
(e) “Protected Health Information” or “PHI” has the same general meaning as the term “protected health information” at 45 C.F.R. § 160.103, but for purpose of this BAA is limited to the PHI created, received, transmitted, or maintained by Business Associate for or on behalf of Covered Entity.
(f) “Services” means the services that Business Associate provides to Covered Entity pursuant to the Services Agreement.
(g) “Unsuccessful Security Incidents” means, without limitation, pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denial of service attacks, and any combination of the above, so long as no such incident results in unauthorized access, Use or Disclosure of Covered Entity’s ePHI.
2. Obligations and Activities of Business Associate.
2.1 Business Associate agrees not to Use or Disclose PHI received or created by Business Associate except as permitted by this BAA, the Services Agreement, or as Required by Law.
2.2 Business Associate agrees to use reasonably appropriate safeguards to comply with Subpart C of 45 CFR Part 164 with respect to ePHI, and to prevent Use or Disclosure of PHI other than as provided for by this BAA, the Services Agreement, or as Required by Law.
2.3 Business Associate agrees to report to Covered Entity any Use or Disclosure of PHI not provided for by this BAA of which it becomes aware, including a Breach of Unsecured PHI as required under 45 C.F.R. § 160.410, and any Security Incident of which it becomes aware. Notwithstanding the foregoing, the Parties acknowledge and agree that this Section 2(c) constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence or attempts of Unsuccessful Security Incidents for which no additional notice to Covered Entity shall be required.
2.4 Business Associate agrees, in accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, to obtain from any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate pursuant to this BAA and the Services Agreement, reasonable written assurances that the Subcontractor will adhere to the restrictions and conditions that apply to Business Associate pursuant to this BAA with respect to such PHI.
2.5 Business Associate agrees to make available, at the request of Covered Entity, PHI that is maintained in a Designated Record Set (if any) as necessary to allow Covered Entity to satisfy its obligations under 45 C.F.R. § 164.524.
2.6 Business Associate agrees to make amendment(s) to PHI maintained in a Designated Record Set (if any), as requested by the Covered Entity, pursuant to 45 C.F.R. § 164.526, or take other measures as reasonably necessary to enable Covered Entity to satisfy its obligations under 45 C.F.R. § 164.526.
2.7 Business Associate agrees to maintain and make available to Covered Entity the information required to provide an accounting of Disclosures, as reasonably necessary to satisfy Covered Entity’s obligations under 45 45 C.F.R. § 164.528.
2.8 For clarity, with respect to the foregoing Sections 2(e)-(g), in no case shall Business Associate be responsible for responding directly to any Individual who submits a request to Business Associate pursuant to 45 CFR. § 164.524 – 164.528; provided, however, that Business Associate shall promptly forward such requests to Covered Entity in accordance with Sections 2(e)-(g).
2.9 To the extent that Business Associate is to carry out one or more of Covered Entity’s obligation(s) under Subpart E of 45 C.F.R. Part 164, Business Associate agrees to comply with the requirements of Subpart E that apply to Covered Entity in the performance of such obligation(s).
2.10 Business Associate agrees to make its internal practices, books, and records, regarding the Use and Disclosure of PHI created or received by Business Associate for or on behalf of the Covered Entity available to the Secretary for purposes of the Secretary determining Covered Entity’s compliance with the HIPAA Rules.
3. Permitted Uses and Disclosures by Business Associate.
3.1 Business Associate may Use or Disclose PHI as necessary to perform the Services set forth in Service Agreement or as Required by Law.
3.2 Business Associate may Use PHI for its proper management and administration, or to carry out its legal responsibilities.
3.3 Business Associate may Disclose PHI for its proper management and administration, or to carry out is legal responsibilities, provided the Disclosures are (i) Required by Law, or (ii) Business Associate obtains reasonable assurances from the person to whom the information is Disclosed that the information will remain confidential and Used for further Disclosed only as Required by Law or for the purposes for which it was Disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
3.4 Business Associate may provide Data Aggregation services relating to the Health Care Operations of Covered Entity.
3.5 Business Associate may Use PHI to de-identify the information in accordance with 45 C.F.R. § 164.514(a)-(c).
3.6 Covered Entity expressly authorizes Business Associate to retrieve PHI from Covered Entity’s electronic health record (“EHR”) management system and disclose such PHI to third-parties for purposes of facilitating Treatment, Payment, or Health Care Operations (each as defined in 45 C.F.R. § 164.501) (each such disclosure defined herein as a “TPO Data Transfer”). For each such TPO Data Transfer: (i) Covered Entity acknowledges and agrees that such disclosure may be made without the prior written authorization of the individual to which such PHI relates; and (ii) Business Associate acknowledges and agrees that each such TPO Data Transfer shall be made solely to the extent that (A) the third-party recipient of the TPO Data Transfer is considered either a covered entity or a business associate under HIPAA, (B) Business Associate has entered into a separate Business Associate Agreement with each such third-party recipient of PHI (whether to which Business Associate is a primary business associate to such entity in its position as a covered entity, as an upstream business associate with such third-party serving as a Subcontractor business associate, or as a Subcontractor business associate to an upstream business associate separately engaged by Covered Entity), and (C) that, in engaging in any such access of Covered Entity’s EHR system and/or Patient Data Transfer, Business Associate shall at all time limit such activities to the scope permitted by HIPAA’s authorization exception for Treatment, Payment, or Health Care Operation-related uses and disclosures under 45 C.F.R. § 164.506.
4. Obligations of Covered Entity.
4.1 During the Term of this BAA, Covered Entity shall:
(a) Notify Business Associate of any limitations in its Notice of Privacy Practices, to the extent that such limitation may affect Business Associate’s Use or Disclosure of PHI;
(b) Notify Business Associate of any restrictions on uses or disclosures of PHI to which Covered entity has agreed in accordance with 45 C.F.R. § 164.522; provided, however, that to the extent that any such restriction renders Business Associate unable to perform the Services, Covered Entity shall not disclose to Business Associate any PHI related to the individual at issue and Covered Entity acknowledges that no Services will be performed with respect such individual;
(c) Notify Business Associate of any changes in, or revocation of, permission by an Individual to Use or Disclose PHI, to the extent that such changes may affect Business Associate’s Use or Disclosure of PHI;
(d) Not request Business Associate to Use or Disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity (other than as permitted pursuant to Sections 3(b)-(d) above); and
(e) Comply with all of the HIPAA Rule requirements applicable to Covered Entity.
5. Term and Termination.
5.1 Term. The Term of this BAA shall commence on the Effective Date and, except for the rights and obligations set forth in this BAA specifically surviving termination, shall terminate upon the termination or expiration of the Services Agreement, unless otherwise earlier terminated for cause in accordance with this Section 5.
5.2 Termination by Covered Entity. In addition to any termination provisions set forth in the applicable Services Agreement, Covered Entity may terminate this BAA if Covered Entity determines, in good faith and after reasonable investigation, that Business Associate has violated a material term of this BAA, and Business Associate has failed to cure such material breach or end the violation within thirty (30) days of written notice by Covered Entity to Business Associate of such alleged breach.
5.3 Termination by Business Associate. In addition to and not withstanding any termination provisions set forth in the applicable Services Agreement, Business Associate may terminate this BAA if Business Associate determines, in good faith and after reasonable investigation, that Covered Entity has violated a material term of this BAA, and Covered Entity has failed to cure such material breach or end the violation within thirty (30) days of notice by Business Associate to Covered Entity of such alleged breach.
5.4 Effect of Termination. Upon termination or expiration of this BAA for any reason, Business Associate shall:
(a) Retain only that PHI which is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities (if any);
(b) Return to Covered Entity or destroy the remaining PHI that Business Associate still maintains in any form that is not necessary to carry out Section 5(d)(i):
(c) Continue to use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to ePHI to prevent Use or Disclosure of the PHI, other than as provided for in this Section 5(d), for as long as Business Associate retains the PHI;
(d) Not Use or Disclose the PHI retained by Business Associate other than for the purposes for which such PHI was retained and subject to the same conditions set out at Sections 3(b)-(d) which applied prior to termination; and
(e) Return to Covered Entity or destroy the PHI retained by Business Associate when it is no longer needed by Business Associate for its proper management and administration, or to carry out its legal responsibilities.
6. Change in Law. In the event a change in the HIPAA Rules or any other state or federal laws require the Parties to amend this BAA, the Parties agree to negotiate such amendment in good faith, provided that either Party may terminate this BAA upon notice if the Parties are unable to mutually agree upon and execute such amendment.
7. Indemnification. Each Party will indemnify, defend, and hold harmless the other Party and its affiliates, and its and their respective officers, stockholders, directors, partners, agents, and employees against any and all claims, demands, suits, or actions, actual or threatened by a third party (“Claims”), arising out of or relating to the indemnifying Party’s: (a) violation of this BAA; (b) violation of the HIPAA Rules; or (c) any other action or inaction by the indemnifying Party, whether taken directly or indirectly, resulting in an impermissible use or disclosure of PHI (including any ePHI) in violation of this BAA or the HIPAA Rules. NOTWITHSTANDING THE FOREGOING OR ANYTHING TO THE CONTRARY HEREIN OR OTHERWISE, (I) EACH PARTY’S TOTAL LIABILITY UNDER THIS SECTION 7 AND THE BAA MORE GENERALLY SHALL NOT EXCEED THE GREATER OF: (A) $10,000; AND (B) THE TOTAL AMOUNT OF FEES PAID TO BUSINESS ASSOCIATE UNDER THE SERVICES AGREEMENT IN THE 12-MONTH PERIOD IMMEDIATELY PRECEDING THE CLAIM(S), AND (II) UNDER NO CIRCUMSTANCES WILL A PARTY BE LIABLE TO THE OTHER PARTY FOR CONSEQUENTIAL, INCIDENTAL, SPECIAL, OR EXEMPLARY DAMAGES ARISING OUT OF OR RELATED TO THE TRANSACTION CONTEMPLATED UNDER THIS BAA, INCLUDING BUT NOT LIMITED TO LOST PROFITS OR LOSS OF BUSINESS, EVEN IF IT IS APPRISED OF THE LIKELIHOOD OF SUCH DAMAGES OCCURRING.
