Business Associate Agreement
Last updated: July 29, 2021
YOU REPRESENT AND WARRANT THAT: (I) YOU HAVE FULL LEGAL AUTHORITY TO ENTER INTO THIS AGREEMENT, (II) YOU HAVE READ AND UNDERSTAND THIS AGREEMENT, AND (III) YOU AGREE TO THE TERMS OF THIS AGREEMENT. IF YOU DO NOT HAVE LEGAL AUTHORITY TO ENTER INTO OR DO NOT AGREE TO THESE TERMS, DO NOT ACCEPT THE TERMS OF THIS AGREEMENT.
WHEREAS, Company and DrChrono are parties to the Services Agreement pursuant to which DrChrono provides software and/or services (collectively, the “Services”) to Company.
WHEREAS, this Agreement defines the rights and responsibilities of each party with respect to Protected Health Information as defined in the Health Insurance Portability and Accountability Act of 1996, as amended by Subtitle D of the Health Information Technology for Economic and Clinical Health Act provisions of the American Recovery and Reinvestment Act of 2009, and the regulations promulgated thereunder, as each may be amended from time to time (collectively, “HIPAA”) with respect to the provision of the Services.
WHEREAS, to the extent DrChrono acts as a “business associate” (as such term is defined at 45 C.F.R. § 160.103) to Company through the provision of the Services, this Agreement is intended to satisfy applicable obligations of the parties under HIPAA.
NOW, THEREFORE, for good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the parties agree as follows:
- “Breach” shall mean the acquisition, access, use or disclosure of PHI in a manner not permitted by the Privacy Rule that compromises the security or privacy of PHI as defined, and subject to the exclusions set forth, in 45 C.F.R. § 164.402.
- “Business Associate” shall mean DrChrono.
- “Effective Date” shall mean the date Company agrees to the Terms.
- “Electronic Protected Health Information” or “Electronic PHI” shall have the same meaning as the term “electronic protected health information” in 45 C.F.R. § 160.103, limited to the information that Business Associate creates, receives, maintains, or transmits for or on behalf of Company under the Services Agreement.
- “Privacy Rule” shall mean the federal privacy regulations, as amended from time to time, issued pursuant to HIPAA and codified at 45 C.F.R. Parts 160 and 164 (Subparts A & E).
- “Protected Health Information” or “PHI” shall mean “protected health information,” as that term is defined in 45 C.F.R. § 160.103, limited to the information that Business Associate creates, receives, maintains, or transmits for or on behalf of Company under the Services Agreement.
- “Security Rule” shall mean the federal security regulations, as amended from time to time, issued pursuant to HIPAA and codified at 45 C.F.R. Parts 160 and 164 (Subparts A & C).
- “Services Agreement” shall mean any present or future agreements, either written or oral, between Company and Business Associate under which Business Associate provides services to Company which involve the access, use or disclosure of PHI
- “Unsecured Protected Health Information” or “Unsecured PHI” shall have the same meaning as the term “unsecured protected health information” in 45 C.F.R. §164.402.
2. Obligations and Activities of Business Associate
- Use and Disclosure. Business Associate agrees not to use or disclose Protected Health Information other than as permitted by the Services Agreement or this Agreement, or as Required by Law.
- Appropriate Safeguards. Business Associate agrees to use reasonable and appropriate administrative, physical, and technical safeguards to prevent the use or disclosure of the Protected Health Information other than as provided for by the Services Agreement or this Agreement, consistent with the requirements of the Security Rule (with respect to Electronic PHI). To the extent Business Associate is to carry out one or more of Company’s obligation(s) under the Privacy Rule, Business Associate may not use or disclose Protected Health Information in a manner that would violate the Privacy Rule if done by Company.
- Reporting of Breaches and Impermissible Uses and Disclosures. Business Associate agrees to report to Company any: (i) Breach of Unsecured PHI in accordance with 45 C.F.R. § 164.410; and (ii) use or disclosure of PHI not provided for by this Agreement of which it becomes aware in accordance with 45 C.F.R. § 164.504.
- Reporting of Security Incidents. Business Associate agrees to report to Company any Security Incident of which it becomes aware of in accordance with 45 C.F.R. § 164.314; provided, however, continuing notice is hereby deemed provided, and no further notice will be provided, for Unsuccessful Security Incidents. For purposes of this Agreement, “Unsuccessful Security Incidents” shall include, but not be limited to, pings and other broadcast attacks on a firewall, unsuccessful login attempts, denial of service attacks, port scans, and any combination of the above, provided that no such incident results in an unauthorized access, use, or disclosure of Electronic PHI. Business Associate’s obligation to report under this Section 2(d) is not and will not be construed as an acknowledgement by Business Associate of any fault or liability with respect to any use, disclosure, or Breach.
- Agents. Business Associate agrees to ensure that any agent, including a subcontractor to whom it provides Protected Health Information, shall agree, in writing, to restrictions and conditions at least as stringent as those that apply to Business Associate under this Agreement, including complying with the applicable Security Rule requirements with respect to Electronic PHI.
- Company Access and Amendment. All Protected Health Information maintained by Business Associate in a Designated Record Set for Company will be available to Company, upon Company’s request, in a time and manner that reasonably allows Company to comply with the requirements under 45 C.F.R. §§ 164.524 and 164.526. Business Associate shall not be obligated to provide any such information directly to any Individual or person other than to Company. To the extent an Individual makes an access and/or amendment request directly to Business Associate, Business Associate shall promptly respond to Individual and direct them to request directly from Company.
- Access to Books and Records. Business Associate agrees to make internal practices, books, and records available to the Secretary, in a time and manner designated by the Secretary, for purposes of the Secretary’s determining Company’s or Business Associate’s compliance with the Privacy Rule; provided, however, that time incurred by Business Associate in complying with any such request to assess Company’s compliance that exceeds its normal customer service parameters shall be charged to Company at Business Associate’s then-current standard hourly rate.
- Accounting. In the event that Business Associate makes disclosures of Protected Health Information to Individuals or any person other than to Company, it shall document the disclosure as would be required for Company to respond to a request by an Individual for an accounting of disclosures in accordance with 45 C.F.R. §164.528, and shall provide such documentation to Company promptly upon request.
3. Permitted Uses and Disclosures by Business Associate.
- Use for Administration of Business Associate. Except as otherwise limited in this Agreement, Business Associate may use Protected Health Information obtained to provide the Services for the proper management and administration of Business Associate and to carry out the legal responsibilities of Business Associate.
- Disclosure for Administration of Business Associate. Except as otherwise limited in this Agreement, Business Associate may disclose Protected Health Information for the proper management and administration of Business Associate, provided that (i) disclosures are Required by Law, or (ii) Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
- Use for Data Aggregation Services to Company. Business Associate may provide data aggregation services relating to the health care operations of Company.
- De-identified Data. Business Associate may de-identify Protected Health Information in accordance with 45 C.F.R. §164.514 and use and disclose such de-identified data for its business purposes, including to provide reporting and other services to Company.
4. Company Obligations.
- Data Security. Company will use appropriate safeguards to maintain the confidentiality, privacy and security of PHI when transmitting it to Business Associate pursuant to this Agreement. Company agrees to comply with any data security safeguards assigned to Company in any Services Agreement.
- Privacy Notice. Company shall notify Business Associate of any limitations in Company’s notice of privacy practices in accordance with 45 C.F.R. § 164.520 to the extent that such limitations may affect Business Associate’s use or disclosure of Protected Health Information.
- Changes of Permission of Individual. Company shall notify Business Associate of any changes in, or revocation of, permission by Individual to use or disclose Protected Health Information, to the extent that such changes may affect Business Associate’s use or disclosure of Protected Health Information.
- Restrictions on Use or Disclosure. Company shall notify Business Associate of any restriction to the use or disclosure of Protected Health Information that Company has agreed to in accordance with 45 C.F.R. § 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of Protected Health Information.
- Requested Uses and Disclosures. Company agrees that it will not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under the Privacy Rule if done by Company.
- Permissions. Company warrants that it has obtained all necessary authorizations, consents, and other permissions that may be required under applicable law prior to placing data, including without limitation PHI, on Business Associate’s systems.
5. Term and Termination
- Term. The Term of this Agreement shall commence on the Effective Date. This Agreement shall terminate without any further action upon the termination or expiration of the Services Agreement, unless earlier terminated in accordance with Section 5(b). Notwithstanding anything to the contrary, in the event that Company requires Business Associate to retain the Protected Health Information after termination of the Services Agreement, this Agreement shall survive for as long as storage by Business Associate is required and Company shall bear the reasonable cost of storage of such Protected Health Information for as long as storage by Business Associate is required.
- Termination. If either party learns of a pattern of activity or practice of the other party that constitutes a material breach or violation of this Agreement then non-breaching party shall provide written notice of the breach or violation to the other party that specifies the nature of the breach or violation. The other party must cure the breach or end the violation on or before thirty (30) days after receipt of the written notice. In the absence of a cure reasonably satisfactory to the non-breaching party within the specified timeframe, or in the event the breach is reasonably incapable of cure, then non-breaching party may terminate this Agreement and the Services Agreement.
- Effect of Termination. Upon termination of the Services Agreement for any reason, Business Associate shall return or destroy all Protected Health Information not necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities. In the event that Business Associate determines that returning or destroying the Protected Health Information is infeasible, Business Associate shall provide Company notification of the conditions that make return or destruction infeasible. Business Associate shall extend the protections of this Agreement to such Protected Health Information and limit further uses and disclosures of such Protected Health Information to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such Protected Health Information.
- Amendment. Each party agrees to take such action as is reasonably necessary to amend this Agreement from time to time as is necessary for Company to comply with the requirements of HIPAA as they may be amended from time to time; provided, however, that if such an amendment would materially increase the cost of Business Associate providing service under this Agreement, Business Associate shall have the option to terminate this Agreement on thirty (30) days advance notice.
- Survival. Sections 5(c), 6(b), and 6(c) shall survive the termination or expiration of this Agreement.
- Interpretation. Any ambiguity in this Agreement shall be resolved to permit either Business Associate or Company to comply with HIPAA.
- Independent Contractor. Business Associate and Company are and shall remain independent contractors throughout the term. Nothing in this Agreement shall be construed to constitute Business Associate and Company as partners, joint venturers, agents or anything other than independent contractors.
- The terms of this Agreement are hereby incorporated into the Services Agreement. In the event of a conflict between the terms of this Agreement and the terms of the Services Agreement, the terms of this Agreement shall prevail.
- This Agreement shall be governed by, and construed in accordance with, the laws of the State of California, exclusive of conflict of law rules.
- The Services Agreement together with this Agreement constitutes the entire agreement between the parties with respect to the subject matter contained herein, and this Agreement supersedes and replaces any former business associate agreement or addendum entered into by the parties.
- Nothing in this Agreement shall confer upon any person other than the parties and their respective successors or assigns, any rights, remedies, obligations or liabilities whatsoever.
- No amendment or modification to this Agreement or waiver of any provision hereof shall be effective except in a writing duly signed by both parties.
- A waiver with respect to one event will not be construed as continuing, or as a bar to or waiver of any right or remedy as to subsequent events.