THIS BUSINESS ASSOCIATE AGREEMENT (this “BAA”) is entered into on the Effective Date by and between Practice-Web and the Client.
WHEREAS, the Client has engaged Practice-Web to provide certain products and services to the Client (the “Services”) as set forth in certain agreement(s) between Practice-Web and the Client (the “Underlying Agreements”), which may involve the Use and Disclosure of Protected Health Information and Electronic Protected Health Information (collectively, “PHI”); and
WHEREAS, Practice-Web and the Client are required to protect the privacy of and provide for the security of PHI Disclosed to Practice-Web in compliance with the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), Public Law 111-005, and the regulations promulgated thereunder; 45 C.F.R. Parts 160 and Part 164, Subparts A, C, D and E (Subpart E, together with the definitions in Subpart A is known as the “Standards for Privacy of Individually Identifiable Health Information” (the “Privacy Rule”) and Subpart C, together with the definitions in Subpart A, is known as the “Security Standards for the Protection of Electronic Protected Health Information” (the “Security Rule”) Subpart D, together with the definitions in Subpart A is known as the “Breach Notification Rule” (“Breach Notification Rule”) (the Privacy Rule, Breach Notification Rule and the Security Rule are collectively called the “HIPAA Regulations”); and
WHEREAS, the HIPAA Regulations require the Client to enter into a Business Associate Agreement with Practice-Web containing certain requirements for Business Associates as detailed in the HIPAA Regulations with respect to Practice-Web’s creation, receipt, maintenance or transmission of PHI received for or from the Client; and
NOW, THEREFORE, in consideration of the mutual promises and other consideration contained herein, the sufficiency of which is hereby acknowledged, the parties agree as follows:
1. Definitions. Unless otherwise defined herein, capitalized terms have the definitions given to them in the HIPAA Regulations. Notwithstanding the foregoing, “Practice-Web,” the “Client,” and the “Effective Date” are as defined in the earliest dated agreement still in effect between Practice-Web and the Client incorporating this BAA by reference.
2. Permitted Uses and Disclosures.
2.1. Pursuant to this BAA, Practice-Web may Use and Disclose PHI created, received, maintained or transmitted for or from the Client to provide the Services, or as otherwise permitted under this BAA. Practice-Web may not use or disclose protected health information in a manner that would violate Subpart E of 45 C.F.R. Part 164 if done by the Client.
2.2. Practice-Web may also Use PHI it creates, receives, maintains or transmits for or from the Client as required for Practice-Web’s proper management and administration (including, but not limited to, Practice-Web’s internal operations and refinement of its business methods) or to carry out Practice-Web’s legal responsibilities. Practice-Web may Disclose such PHI as necessary for Practice-Web’s proper management and administration or to carry out Practice-Web’s legal responsibilities if (i) the Disclosure is Required by Law, or (ii) Practice-Web obtains reasonable assurance, evidenced by written contract, from any person or entity to which Practice-Web will Disclose such PHI that the person or organization will (a) hold the PHI in confidence and Use or further Disclose the PHI only for the purpose for which Practice-Web Disclosed it to the person or organization or as Required by Law, and (b) notify Practice-Web (who will in turn notify the Client as described in Section 6 below) of any instance of which the person or organization becomes aware in which the Confidentiality of such PHI was Breached.
2.3. To the extent that Practice-Web is to carry out any of the Client’s obligations that are regulated by HIPAA, Practice-Web shall comply with the HIPAA requirements that apply to the Client in the performance of such obligation.
3. Minimum Necessary Information. To the extent required by the HIPAA Regulations, Practice-Web shall Use and Disclose on behalf of the Client only the minimum amount of PHI necessary to provide the Services. Minimum Necessary shall have the meaning ascribed to it in the HIPAA Regulations or in any later guidance issued by the Secretary of Health and Human Services (“HHS”).
4. Information Safeguards. Practice-Web will use appropriate administrative, technical and physical safeguards consistent with the size and complexity of Practice-Web’s operations, and comply, where applicable, with Subpart C of 45 C.F.R. Part 164 with respect to PHI in electronic form, to prevent Use or Disclosure of PHI other than as provided for by this BAA.
5. The Client Representations
5.1 The Client shall not request Practice-Web to Use or Disclose PHI in any manner that would not be permissible under Subpart E of 45 C.F.R. Part 164 if done by the Client.
5.2 The Client represents that it has obtained any necessary consents and Authorizations from any patients to which the PHI pertains to enable Practice-Web to provide the Services hereunder.
5.3 The Client shall notify Practice-Web of any limitation(s) in the Notice of Privacy Practices of the Client under 45 C.F.R. 164.520, to the extent that such limitation may affect Practice-Web’s Use or Disclosure of PHI.
5.4 The Client shall notify Practice-Web of any changes in, or revocation of, the permission by an Individual to Use or Disclose his or her PHI, to the extent that such changes may affect Practice-Web’s Use or Disclosure of PHI.
5.5 The Client shall notify Practice-Web of any restriction on the Use or Disclosure of PHI that the Client has agreed to or is required to abide by under 45 C.F.R. 164.522, to the extent that such restriction may affect Practice-Web’s Use or Disclosure of PHI.
6. Incident Reporting. Practice-Web shall report to the Client any Use or Disclosure of PHI not provided for by the BAA of which it becomes aware, including Breaches of Unsecured PHI as required at 45 C.F.R. 164.410, and any Security Incident of which it becomes aware, provided, however, that for purposes of this Security Incident reporting requirement, the term “Security Incident” shall not include inconsequential incidents that occur on a daily basis, such as scans, “pings” or other unsuccessful attempts to penetrate computer networks or servers containing electronic PHI maintained by Practice-Web.
7. Subcontractors. Practice-Web may use subcontractors to perform the Services hereunder. Practice-Web shall ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of Practice-Web agree to the same restrictions, conditions, and requirements that apply to Practice-Web with respect to such information in accordance with 45 C.F.R. 164.502(e)(1)(iii) and 45 C.F.R. 164.308(b)(2) to the extent applicable.
8. Availability of Books and Records. Practice-Web shall permit the Secretary and other regulatory and accreditation authorities to audit Practice-Web’s internal practices, books and records at reasonable times as they pertain to the Use and Disclosure of PHI received from, or created or received by Practice-Web on behalf of, Covered Entity in order to ensure that Covered Entity or Practice-Web is in compliance with the requirements of the Privacy Rule.
9. Patient Rights.
9.1 Practice-Web acknowledges that the HIPAA Regulations require the Client to provide patients with a number of privacy rights. To assist the Client Entity in complying with these requirements, Practice-Web agrees to the following:
9.1.1 Patient Access. To the extent required by the HIPAA Regulations, Practice-Web will make available PHI in a Designated Record Set, if a Designated Record Set is maintained by Practice-Web, to the Client as necessary to satisfy the Client’s obligations under 45 C.F.R. 164.524.
9.1.2 Amendment. To the extent required by the HIPAA Regulations, Practice-Web shall make any amendment(s) to PHI in a Designated Record Set, if a Designated Record Set is maintained by Practice-Web, as directed or agreed to by the Client pursuant to 45 C.F.R. 164.526.
9.1.3 Accounting of Disclosures. To the extent required by the HIPAA Regulations, Practice-Web will maintain and make available the information required to provide an Accounting of Disclosures to the Client as necessary to satisfy the Client’s obligations under 45 C.F.R. 164.528.
9.2 Requests Received by Practice-Web. If Practice-Web receives a patient request for PHI held by Practice-Web on behalf of the Client, or receives a patient request to exercise any other patient rights, Practice-Web shall notify the Client of such request and forward the request to the Client. Practice-Web shall then assist the Client in responding to the request, in accordance with the above provisions.
10. Term and Termination.
10.1 Term. The term of this BAA shall continue until termination of all of the Underlying Agreements or termination by either party in accordance with Section 10.2.
10.2 Material Breach. Where either party has knowledge of a material breach of this BAA by the other party and cure is possible, the non-breaching party shall provide the breaching party with an opportunity to cure. Where said breach is not cured within ten (10) business days of the breaching party’s receipt of notice from the non-breaching party of said breach, the non-breaching party shall, if feasible, terminate this BAA and the portion(s) of the Underlying Agreement affected by the breach. Where either party has knowledge of a material breach by the other party and cure is not possible, the non-breaching party shall, if feasible, terminate this BAA and the portion(s) of the Underlying Agreement affected by the breach.
10.3 Return of Destruction of PHI. Upon termination, cancellation, expiration or other conclusion of this BAA, for any reason, Practice-Web shall, if feasible, return or destroy all PHI, in whatever form or medium, which Practice-Web created or received for or from the Client. To the extent that Practice-Web decides that any return or destruction of PHI is not feasible, the parties agree that the requirements set forth in this BAA with respect to the PHI shall survive termination of this BAA, and Practice-Web shall extend the protections of this BAA to such PHI and shall not use or disclose such PHI other than for the purposes for which such PHI was retained and subject to the same conditions, restrictions and limitations set out in this BAA, for as long as Practice-Web maintains such PHI.
11. Limitation of Liability. IN NO EVENT SHALL PRACTICE-WEB’S LIABILITY FOR ANY BREACH OF THIS AGREEMENT EXCEED THE AMOUNT OF FEES PAID BY THE CLIENT TO PRACTICE-WEB FOR THE SERVICES FOR THE PERIOD OF THREE (3) MONTHS PRIOR TO THE OCCURRENCE OF SUCH BREACH. WITHOUT LIMITATION TO THE FOREGOING, PRACTICE-WEB SHALL NOT BE RESPONSIBLE OR HELD LIABLE FOR ANY CONSEQUENTIAL, SPECIAL, PUNITIVE, EXEMPLARY, INDIRECT OR INCIDENTAL LOSSES OR DAMAGES RELATED TO THE SUBJECT MATTER HEREOF OR FOR ANY BREACH OF THIS AGREEMENT, EVEN IF PRACTICE-WEB HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
12. Miscellaneous.
12.1 Notice. All notices, requests, demands and other communications required or permitted to be given or made under this BAA shall be in writing, shall be effective upon receipt or attempted delivery, and shall be sent by (i) personal delivery; (ii) certified or registered United States mail, return receipt requested; (iii) overnight delivery service with proof of delivery; or (iv) electronic mail. Notices shall be sent to the addresses below. Neither party shall refuse delivery of any notice hereunder. Either party may change its address by delivery of notice of such change pursuant to this Section 12.1.
THE CLIENT:
At the Client’s address on record with Practice-Web.
PRACTICE-WEB:
Practice-Web Inc.
P.O. Box 4678
El Dorado Hills, CA 95762
email: [email protected]
12.2 Waiver. No failure on the part of either party to exercise, and no delay in exercising, any right or remedy hereunder shall operate as a waiver thereof; nor shall any single or partial exercise of any right or remedy hereunder preclude any other right or remedy or further exercise thereof or the exercise of any other right or remedy granted herein.
12.3 Assignment. Practice-Web shall have the right to assign its rights and obligations hereunder to any entity that is an affiliate or successor of Practice-Web, without the prior approval of the Client.
12.4 Severability. Any provision of this BAA that is determined to be invalid or unenforceable will be ineffective to the extent of such determination without invalidating the remaining provisions of this BAA or affecting the validity or enforceability of such remaining provisions.
12.5 Entire Agreement; No Third Party Beneficiaries. This BAA constitutes the complete agreement between Practice-Web and the Client relating to the matters specified in this BAA, and supersedes all prior representations or agreements, whether oral or written, with respect to such matters. No oral modification or waiver of any of the provisions of this BAA shall be binding on either party. No obligation on either party to enter into any transaction is to be implied from the execution or delivery of this BAA. This BAA is for the benefit of, and shall be binding upon the parties, their affiliates and respective successors and assigns. No third party shall be considered a third-party beneficiary under this BAA, nor shall any third party have any rights as a result of this BAA.
12.6 Governing Law. This BAA shall be governed by and interpreted in accordance with the laws of the State of California, excluding its conflicts of law provisions. Venue for any dispute relating to this Agreement shall be in Sacramento County, California.
12.7 Nature of Agreement; Independent Contractor. Nothing in this BAA shall be construed to create (i) a partnership, joint venture or other joint business relationship between the parties or any of their affiliates, or (ii) a relationship of employer and employee between the parties. Practice-Web is an independent contractor, and not an agent of the Client.
12.8 Effective Delivery. A party’s transmission by facsimile or by electronic signature of the Underlying Agreements shall constitute effective delivery of this BAA.
12.9 Interpretation, Changes in Law. Any ambiguity in this BAA shall be resolved to permit the Client and Practice-Web to comply with the HIPAA Regulations. Upon the effective date of any final regulation or amendment to final regulations promulgated by HHS, this BAA shall automatically amend such that the obligations they impose on Practice-Web and the Client remain in compliance with these regulations and guidance.
12.10 Survival. The following Sections shall survive termination of this BAA: Sections 10, 11, 12.
