Business Associate Agreement
This BUSINESS ASSOCIATE AGREEMENT (the “Agreement”) is entered into this _____ of _____________, 2021 (the “Effective Date”), by and between IndividuALLytics, Inc. dba IndividuALLytics Connected Care and managed services organization collaborator Advanced Precision Health Management PLLC (“Business Associate”) and __________________ (“Covered Entity”). Business Associate and Covered Entity are sometimes each individually referred to herein as a “Party” and collectively as the “Parties.”
WHEREAS, Business Associate and Covered Entity (the “Services”) have entered into an
Agreement(s) (the “Services Agreement”) under which the Business Associate provides certain services to the Covered Entity; and;
WHEREAS, in connection with Business Associate’s provision of Services, Covered Entity may disclose to Business Associate information that is Protected Health Information (PHI) under the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, as amended (“HIPAA”), and the Privacy Rule, Security Rule, Enforcement Rule and Breach Notification Rule set forth at 45 C.F.R. Parts 160 and 164 (jointly “HIPAA Rules”) promulgated thereunder; and
WHEREAS, Business Associate may create, maintain, access, use, disclose, transmit or receive PHI on behalf of Covered Entity only as set forth in this Agreement and to the extent allowed under the HIPAA Rules; and
WHEREAS, Covered Entity and Business Associate intend to protect the privacy and provide for the security of PHI in compliance with HIPAA; and
WHEREAS, Business Associate acknowledges and understands that the HIPAA Rules impose direct liability upon it for violations of the HIPAA Rules and to protect against such liability Business Associate agrees to implement appropriate policies and procedures as more fully set forth below.
NOW, THEREFORE, in consideration of the mutual covenants and promises contained herein, and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the parties hereto agree as follows:
Section 1. Definitions
All capitalized terms used in this Agreement not otherwise defined herein or in the Services Agreement shall have the same meaning as those terms are defined under the HIPAA Rules.
1.1 “Individual” means the person who is the subject of Protected Health Information.
1.2 “Protected Health Information” or “PHI” means information that falls within the definition of “Protected Health Information” under the HIPAA Rules, except that Protected Health Information or PHI as defined herein shall be limited to the information created or received by Business Associate from or on behalf of Covered Entity, and shall include Electronic Protected Health Information.
1.3 “Sensitive Data” shall mean an Individual’s first name or first initial and last name plus one (1) or more of the following data elements:
1.3.1 Social Security number;
1.3.2 driver’s license number or state-issued ID card number; or
1.3.3 account number, credit card number or debit card number combined with any security code, access code, PIN or password needed to access a financial account.
1.4 “Unsuccessful Security Incident” shall mean pings and other broadcast attacks on a firewall, port scans, unsuccessful log-on attempts, denials of service, or other similar attempted but unsuccessful Security Incident, or a combination thereof.
Section 2. Business Associate Use and Disclosure of PHI
2.1 Business Associate may use, access, create, maintain, transmit, receive and disclose PHI as reasonably required in connection with the performance of Services in connection with Covered Entity, excluding the use or further disclosure of such PHI in a manner that would violate the requirements of the Privacy Rule, if done by the Covered Entity.
2.2 Business Associate may use and disclose such PHI for the proper management and administration or to carry out the legal responsibilities of Business Associate.
2.3 Business Associate will not use, access, create, maintain or further disclose PHI other than as permitted or required by this Agreement or as required by applicable law.
2.4 Business Associate will use appropriate safeguards to prevent use or disclosure of PHI other than as provided for in this Agreement.
2.5 Business Associate shall provide reasonable access to Covered Entity (including inspection and obtaining copies), within ten (10) days following the written request of Covered Entity, to PHI in any Designated Record Set that may be held by Business Associate in order to meet the requirements of the Privacy Rule, as well as provide a copy of the electronic health record in an electronic format upon request as may be required under the HIPAA Rules.
2.6 Business Associate will, at the written request of the Covered Entity make available to Covered Entity within ten (10) days, the PHI in any Designated Record Set that may be held by Business Associate for amendment and immediately incorporate any amendments to such information in accordance with the Privacy Rule.
2.7 Business Associate will maintain and, within ten (10) days following the written request of Covered Entity, make available to Covered Entity the information that may be held by Business Associate required to provide an accounting of disclosures in accordance with the Privacy Rule.
2.8 In the event that Business Associate receives a request from an Individual or patient for Access, Amendment or Accounting purposes as described in sections 2.7 – 2.9 above, Business Associate will promptly, and in any event no later than ten (10) days following the Individual’s or patient’s request, notify Covered Entity in writing of said request and provide reasonable assistance to Covered Entity in responding to the Individual’s or patient’s request and in a timely fashion so as to permit Covered Entity to respond to the request within the time limits imposed under the HIPAA Rules. Covered Entity will have sole and exclusive authority in overseeing the response to an Individual’s or patient’s request and Business Associate will not provide any response to an Individual or patient without first notifying Covered Entity in writing and complying with the reasonable instructions from Covered Entity.
2.9 Business Associate will make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of the U.S. Department of Health & Human Services (“HHS”) for purposes of determining the Covered Entity’s compliance with HIPAA and the HIPAA Rules. In the event that Business Associate receives a request from HHS or any other state or Federal agency relating to PHI, Business Associate will provide immediate notice to Covered Entity and grants Covered Entity authority to direct the response to any such request to the extent it relates to PHI of Covered Entity.
2.10 Business Associate may use or disclose PHI for any purpose provided that the PHI has been de-identified in accordance with the standards set forth at 45 C.F.R. Section 164.514(b).
Section 3. Business Associate Obligations
3.1 Business Associate will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI as required under the Security Rule.
3.2 Business Associate will ensure that any agent, including a subcontractor, to whom it provides PHI enters into a written agreement with Business Associate and agrees to implement reasonable and appropriate safeguards to the same extent required by Business Associate under this Agreement.
3.3 Business Associate will report to Covered Entity any attempted or successful unauthorized access, use, disclosure, modification, or destruction of PHI or interference with system operations in an Information System affecting such PHI (“Security Incident”) of which Business Associate becomes aware within ten (10) days of Business Associate’s Discovery of such Security Incident. Notwithstanding the foregoing, the Parties acknowledge the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents which are trivial in nature, and the Parties agree that no additional notification to Covered Entity of such Unsuccessful Security Incidents is required. Provided, however, to the extent that Business Associate becomes aware of an unusually high number of such Unsuccessful Security Incidents due to the repeated acts of a single party, Business Associate shall notify Covered Entity in writing within ten (10) days of Business Associate’s Discovery of such event.
3.4 Business Associate will report to Covered Entity in writing any acquisition, access, use or disclosure of PHI in violation of HIPAA which constitutes a Breach of Unsecured PHI within ten (10) days of Discovery of the Breach.
3.5 Business Associate agrees to make uses and disclosures and requests for PHI consistent with Covered Entity’s minimum necessary policies and procedures, to the extent those policies and procedures are communicated to Business Associate in accordance with Section 4.4 below, and ensure that Business Associate uses or discloses the minimum necessary PHI when carrying out its obligations to provide the Services.
3.6 Business Associate may disclose PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate, provided the disclosures are required by law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
3.7 Business Associate will mitigate, to the extent practicable, any harmful effect that is known to Business Associate or Covered Entity related to the use, access, disclosure, transmission, reception, creation, or maintenance of PHI by Business Associate.
Section 4. Covered Entity Obligations
4.1 Covered Entity will notify Business Associate of any limitation(s) in the Notice of Privacy Practices of Covered Entity, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI.
4.2 Covered Entity will notify Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by under the HIPAA Privacy Rule, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.
4.3 Covered Entity will not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity, except for use or disclosure of PHI for management and administration and legal responsibilities of Business Associate.
4.4 Covered Entity shall only disclose to Business Associate the minimum amount of PHI necessary to accomplish the provision of the Services, and shall not request Business Associate to use or further disclose PHI other than as minimally necessary to perform the Services. Covered Entity shall communicate its minimum necessary policies and procedures in writing to Business Associate prior to disclosing any PHI to Business Associate, and shall promptly notify Business Associate in writing of any changes to such policies and procedures.
4.5 Notwithstanding any permissive disclosure of Sensitive Data to Business Associate which might otherwise be exempt from Section 4.4, above, Covered Entity shall never disclose Sensitive Data to Business Associate, except as expressly agreed in writing, which writing must document and articulate an agreed necessity and purpose for sharing of Sensitive Data with Business Associate or any other entities, including other health care providers, to whom such Sensitive Data is to be disclosed.
Section 5. Term and Termination
5.1 The term of this Agreement shall commence on the date first set forth above and shall continue for so long as Business Associate creates, uses, discloses, maintains, transmits, or receives PHI on behalf of Covered Entity.
5.2 Covered Entity may terminate this Agreement and any agreement related to the Services, if Covered Entity determines Business Associate has violated a material term of this Agreement and Business Associate has not cured the breach or ended the violation within ten (10) days of receiving notice of the same to the reasonable satisfaction of Covered Entity.
5.3 Obligations of Business Associate Upon Termination.
5.3.1 Upon termination of this Agreement for any reason, Business Associate shall return to Covered Entity or, if agreed to by Covered Entity, destroy all PHI created, maintained, used, disclosed, transmitted or received from Covered Entity that Business Associate still maintains in any form. Business Associate shall retain no copies of the PHI.
5.3.2 If Covered Entity agrees that return or destruction of PHI by Business Associate is not feasible, Covered Entity will notify Business Associate of such in writing and Business Associate will then extend the protections of this Agreement to the PHI and to limit further use.
5.3.3 The obligations set forth hereunder shall apply to all subcontractors of Business Associate and Business Associate will take all necessary action to ensure that each subcontractor complies with these provisions upon termination.
5.3.4 The obligations of Business Associate under this Section shall survive the termination of this Agreement.
Section 6. Miscellaneous Provisions
6.1 Amendment. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for compliance with the requirements of the HIPAA Rules and any other applicable law.
6.2 Interpretation. Any ambiguity in this Agreement shall be interpreted to permit compliance with the HIPAA Rules.
6.3 Severability. The invalidity or unenforceability of any term or provision of this Agreement shall not affect the validity or enforceability of any other term or provision.
6.4 No Third-Party Beneficiaries. This Agreement shall not in any manner whatsoever confer any rights upon or increase the rights of any third party.
6.5 Survival. The obligations of Business Associate under this Agreement shall survive the termination, expiration, or cancellation of this Agreement or any agreement related to the Services and shall continue to bind Business Associate, its agents, subcontractors, employees, workforce members, successors and assigns.
IN WITNESS WHEREOF, the Parties have executed this Agreement as of the day and year written above.
Business Associate:
By: ______________________________
Print: Dennis Nash
Title: President
Date: ______________________________
Covered Entity:
By: ______________________________
Print: ______________________________
Title: ______________________________
Date: _____________________________
Business Associate Agreement
This BUSINESS ASSOCIATE AGREEMENT (the “Agreement”) is entered into this ___ of ___________, 2021 (the “Effective Date”), by and between ____________________ (“Business Associate”) and IndividuALLytics, Inc. dba IndividuALLytics Connected Care and managed services organization collaborator Advanced Precision Health Management PLLC (“Covered Entity”). Business Associate and Covered Entity are sometimes each individually referred to herein as a “Party” and collectively as the “Parties.”
WHEREAS, Business Associate and Covered Entity (the “Services”) have entered into an
Agreement(s) (the “Services Agreement”) under which the Business Associate provides certain services to the Covered Entity; and;
WHEREAS, in connection with Business Associate’s provision of Services, Covered Entity may disclose to Business Associate information that is Protected Health Information (PHI) under the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, as amended (“HIPAA”), and the Privacy Rule, Security Rule, Enforcement Rule and Breach Notification Rule set forth at 45 C.F.R. Parts 160 and 164 (jointly “HIPAA Rules”) promulgated thereunder; and
WHEREAS, Business Associate may create, maintain, access, use, disclose, transmit or receive PHI on behalf of Covered Entity only as set forth in this Agreement and to the extent allowed under the HIPAA Rules; and
WHEREAS, Covered Entity and Business Associate intend to protect the privacy and provide for the security of PHI in compliance with HIPAA; and
WHEREAS, Business Associate acknowledges and understands that the HIPAA Rules impose direct liability upon it for violations of the HIPAA Rules and to protect against such liability Business Associate agrees to implement appropriate policies and procedures as more fully set forth below.
NOW, THEREFORE, in consideration of the mutual covenants and promises contained herein, and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the parties hereto agree as follows:
Section 1. Definitions
All capitalized terms used in this Agreement not otherwise defined herein or in the Services Agreement shall have the same meaning as those terms are defined under the HIPAA Rules.
1.1 “Individual” means the person who is the subject of Protected Health Information.
1.2 “Protected Health Information” or “PHI” means information that falls within the definition of “Protected Health Information” under the HIPAA Rules, except that Protected Health Information or PHI as defined herein shall be limited to the information created or received by Business Associate from or on behalf of Covered Entity, and shall include Electronic Protected Health Information.
1.3 “Sensitive Data” shall mean an Individual’s first name or first initial and last name plus one (1) or more of the following data elements:
1.3.1 Social Security number;
1.3.2 driver’s license number or state-issued ID card number; or
1.3.3 account number, credit card number or debit card number combined with any security code, access code, PIN or password needed to access a financial account.
1.4 “Unsuccessful Security Incident” shall mean pings and other broadcast attacks on a firewall, port scans, unsuccessful log-on attempts, denials of service, or other similar attempted but unsuccessful Security Incident, or a combination thereof.
Section 2. Business Associate Use and Disclosure of PHI
2.1 Business Associate may use, access, create, maintain, transmit, receive and disclose PHI as reasonably required in connection with the performance of Services in connection with Covered Entity, excluding the use or further disclosure of such PHI in a manner that would violate the requirements of the Privacy Rule, if done by the Covered Entity.
2.2 Business Associate may use and disclose such PHI for the proper management and administration or to carry out the legal responsibilities of Business Associate.
2.3 Business Associate will not use, access, create, maintain or further disclose PHI other than as permitted or required by this Agreement or as required by applicable law.
2.4 Business Associate will use appropriate safeguards to prevent use or disclosure of PHI other than as provided for in this Agreement.
2.5 Business Associate shall provide reasonable access to Covered Entity (including inspection and obtaining copies), within ten (10) days following the written request of Covered Entity, to PHI in any Designated Record Set that may be held by Business Associate in order to meet the requirements of the Privacy Rule, as well as provide a copy of the electronic health record in an electronic format upon request as may be required under the HIPAA Rules.
2.6 Business Associate will, at the written request of the Covered Entity make available to Covered Entity within ten (10) days, the PHI in any Designated Record Set that may be held by Business Associate for amendment and immediately incorporate any amendments to such information in accordance with the Privacy Rule.
2.7 Business Associate will maintain and, within ten (10) days following the written request of Covered Entity, make available to Covered Entity the information that may be held by Business Associate required to provide an accounting of disclosures in accordance with the Privacy Rule.
2.8 In the event that Business Associate receives a request from an Individual or patient for Access, Amendment or Accounting purposes as described in sections 2.7 – 2.9 above, Business Associate will promptly, and in any event no later than ten (10) days following the Individual’s or patient’s request, notify Covered Entity in writing of said request and provide reasonable assistance to Covered Entity in responding to the Individual’s or patient’s request and in a timely fashion so as to permit Covered Entity to respond to the request within the time limits imposed under the HIPAA Rules. Covered Entity will have sole and exclusive authority in overseeing the response to an Individual’s or patient’s request and Business Associate will not provide any response to an Individual or patient without first notifying Covered Entity in writing and complying with the reasonable instructions from Covered Entity.
2.9 Business Associate will make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of the U.S. Department of Health & Human Services (“HHS”) for purposes of determining the Covered Entity’s compliance with HIPAA and the HIPAA Rules. In the event that Business Associate receives a request from HHS or any other state or Federal agency relating to PHI, Business Associate will provide immediate notice to Covered Entity and grants Covered Entity authority to direct the response to any such request to the extent it relates to PHI of Covered Entity.
2.10 Business Associate may use or disclose PHI for any purpose provided that the PHI has been de-identified in accordance with the standards set forth at 45 C.F.R. Section 164.514(b).
Section 3. Business Associate Obligations
3.1 Business Associate will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI as required under the Security Rule.
3.2 Business Associate will ensure that any agent, including a subcontractor, to whom it provides PHI enters into a written agreement with Business Associate and agrees to implement reasonable and appropriate safeguards to the same extent required by Business Associate under this Agreement.
3.3 Business Associate will report to Covered Entity any attempted or successful unauthorized access, use, disclosure, modification, or destruction of PHI or interference with system operations in an Information System affecting such PHI (“Security Incident”) of which Business Associate becomes aware within ten (10) days of Business Associate’s Discovery of such Security Incident. Notwithstanding the foregoing, the Parties acknowledge the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents which are trivial in nature, and the Parties agree that no additional notification to Covered Entity of such Unsuccessful Security Incidents is required. Provided, however, to the extent that Business Associate becomes aware of an unusually high number of such Unsuccessful Security Incidents due to the repeated acts of a single party, Business Associate shall notify Covered Entity in writing within ten (10) days of Business Associate’s Discovery of such event.
3.4 Business Associate will report to Covered Entity in writing any acquisition, access, use or disclosure of PHI in violation of HIPAA which constitutes a Breach of Unsecured PHI within ten (10) days of Discovery of the Breach.
3.5 Business Associate agrees to make uses and disclosures and requests for PHI consistent with Covered Entity’s minimum necessary policies and procedures, to the extent those policies and procedures are communicated to Business Associate in accordance with Section 4.4 below, and ensure that Business Associate uses or discloses the minimum necessary PHI when carrying out its obligations to provide the Services.
3.6 Business Associate may disclose PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate, provided the disclosures are required by law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
3.7 Business Associate will mitigate, to the extent practicable, any harmful effect that is known to Business Associate or Covered Entity related to the use, access, disclosure, transmission, reception, creation, or maintenance of PHI by Business Associate.
Section 4. Covered Entity Obligations
4.1 Covered Entity will notify Business Associate of any limitation(s) in the Notice of Privacy Practices of Covered Entity, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI.
4.2 Covered Entity will notify Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by under the HIPAA Privacy Rule, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.
4.3 Covered Entity will not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity, except for use or disclosure of PHI for management and administration and legal responsibilities of Business Associate.
4.4 Covered Entity shall only disclose to Business Associate the minimum amount of PHI necessary to accomplish the provision of the Services, and shall not request Business Associate to use or further disclose PHI other than as minimally necessary to perform the Services. Covered Entity shall communicate its minimum necessary policies and procedures in writing to Business Associate prior to disclosing any PHI to Business Associate, and shall promptly notify Business Associate in writing of any changes to such policies and procedures.
4.5 Notwithstanding any permissive disclosure of Sensitive Data to Business Associate which might otherwise be exempt from Section 4.4, above, Covered Entity shall never disclose Sensitive Data to Business Associate, except as expressly agreed in writing, which writing must document and articulate an agreed necessity and purpose for sharing of Sensitive Data with Business Associate or any other entities, including other health care providers, to whom such Sensitive Data is to be disclosed.
Section 5. Term and Termination
5.1 The term of this Agreement shall commence on the date first set forth above and shall continue for so long as Business Associate creates, uses, discloses, maintains, transmits, or receives PHI on behalf of Covered Entity.
5.2 Covered Entity may terminate this Agreement and any agreement related to the Services, if Covered Entity determines Business Associate has violated a material term of this Agreement and Business Associate has not cured the breach or ended the violation within ten (10) days of receiving notice of the same to the reasonable satisfaction of Covered Entity.
5.3 Obligations of Business Associate Upon Termination.
5.3.1 Upon termination of this Agreement for any reason, Business Associate shall return to Covered Entity or, if agreed to by Covered Entity, destroy all PHI created, maintained, used, disclosed, transmitted or received from Covered Entity that Business Associate still maintains in any form. Business Associate shall retain no copies of the PHI.
5.3.2 If Covered Entity agrees that return or destruction of PHI by Business Associate is not feasible, Covered Entity will notify Business Associate of such in writing and Business Associate will then extend the protections of this Agreement to the PHI and to limit further use.
5.3.3 The obligations set forth hereunder shall apply to all subcontractors of Business Associate and Business Associate will take all necessary action to ensure that each subcontractor complies with these provisions upon termination.
5.3.4 The obligations of Business Associate under this Section shall survive the termination of this Agreement.
Section 6. Miscellaneous Provisions
6.1 Amendment. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for compliance with the requirements of the HIPAA Rules and any other applicable law.
6.2 Interpretation. Any ambiguity in this Agreement shall be interpreted to permit compliance with the HIPAA Rules.
6.3 Severability. The invalidity or unenforceability of any term or provision of this Agreement shall not affect the validity or enforceability of any other term or provision.
6.4 No Third-Party Beneficiaries. This Agreement shall not in any manner whatsoever confer any rights upon or increase the rights of any third party.
6.5 Survival. The obligations of Business Associate under this Agreement shall survive the termination, expiration, or cancellation of this Agreement or any agreement related to the Services and shall continue to bind Business Associate, its agents, subcontractors, employees, workforce members, successors and assigns.
IN WITNESS WHEREOF, the Parties have executed this Agreement as of the day and year written above.
Business Associate:
By: ______________________________
Print: ______________________________
Title: ______________________________
Date: ______________________________
Covered Entity:
By: ______________________________
Print: Dennis Nash___________________
Title: President____________________
Date: _____________________________