HIPAA Business Associate Agreement (BAA)

HIPAA Business Associate Agreement (BAA) Electronic Agreement; Clickwrap Acceptance By checking "I agree to the BAA" and proceeding, the individual acting on behalf of the organization identified during signup (the "Covered Entity") represents that they are authorized to bind the Covered Entity and agrees that this BA Agreement is executed electronically and is legally binding. The "Effective Date" is the timestamp recorded by Penciled upon acceptance. Covered Entity’s name, acceptance timestamp, BAA version, and this page URL may be stored by Penciled as the execution record. WHEREAS, Business Associate and Covered Entity have entered into a Services Agreement under which Business Associate will provide certain products and/or services to or on behalf of Covered Entity (the “Services”), and Business Associate and Covered Entity anticipate that Business Associate will create or receive Protected Health Information from and/or on behalf of Covered Entity, which information is subject to protection under HIPAA; and WHEREAS, in light of the foregoing and the requirements of HIPAA, Business Associate and Covered Entity agree to be bound by the following terms and conditions. 1. Definitions Capitalized terms used but not otherwise defined have the meanings set forth in HIPAA, as amended from time to time. "Services Agreement" means any present or future agreement(s), written or oral, under which Business Associate provides services to Covered Entity that involve the use or disclosure of PHI. 2. Obligations and Activities of Business Associate - Use and Disclosure. Business Associate will not use or disclose PHI except as permitted or required by the Services Agreement, this BA Agreement, for the Purpose, or as Required by Law. Business Associate will comply with HIPAA provisions applicable to business associates regarding privacy and security of PHI. - Appropriate Safeguards. Business Associate will implement administrative, organizational, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of Electronic PHI as required by the Security Rule. - Security Incidents & Breach Notification. Business Associate will report Security Incidents involving Electronic PHI of which it becomes aware. Any actual, successful Security Incident will be reported without unreasonable delay. Business Associate will notify Covered Entity following discovery of a Breach of Unsecured PHI without unreasonable delay and in no case later than 60 days after discovery (or within any shorter deadline required by applicable state law), including information sufficient to identify affected Individuals and relevant incident details. - Reporting of Impermissible Uses/Disclosures. Business Associate will report, without unreasonable delay, any use or disclosure not permitted by this BA Agreement of which it becomes aware. - Minimum Necessary. To the extent required by HIPAA, Business Associate will request, use and disclose only the minimum PHI necessary to accomplish the intended purpose. - Mitigation and Cooperation. Business Associate will take reasonable steps to mitigate any harmful effect known to Business Associate of an impermissible use or disclosure, Security Incident, or Breach, and will reasonably cooperate and coordinate with Covered Entity, including in preparation of any required notices. - Subcontractors. Business Associate will enter into written agreements meeting 45 C.F.R. §§ 164.504(e) and 164.314(a)(2) with each subcontractor that creates, receives, maintains or transmits PHI on its behalf, obligating such subcontractor to restrictions and conditions at least as protective as those in this BA Agreement. - Access, Amendment, Accounting. To the extent Business Associate maintains PHI in a Designated Record Set, Business Associate will facilitate Covered Entity’s responses to requests for access, amendment, and accounting of disclosures within HIPAA timeframes and will forward any direct Individual requests to Covered Entity within the specified notice periods. - Books and Records; HHS Access. Business Associate will make its internal practices, books and records relating to the use and disclosure of PHI available to the Secretary of HHS for purposes of determining HIPAA compliance. 3. Permitted Uses and Disclosures by Business Associate - Services Agreement / Purpose. Business Associate may use or disclose PHI to perform functions, activities, or services for or on behalf of Covered Entity as specified in a Services Agreement or for the Purpose, provided such use or disclosure would be permissible for Covered Entity and is consistent with the minimum necessary standard. - Use/Disclosure for Management and Administration. Business Associate may use PHI for its proper management and administration or to carry out its legal responsibilities (including modifications or upgrades to software/services, development of new features, or related products). Disclosures for these purposes are permitted if Required by Law or if Business Associate obtains reasonable assurances from the recipient regarding confidentiality and limited use. - Data Aggregation. Business Associate may use PHI to provide data aggregation services relating to Covered Entity’s health care operations where permitted. - De-identified Information. Business Associate may create de-identified information in accordance with HIPAA de-identification requirements and may use or disclose de-identified data for any lawful purpose. 4. Obligations of Covered Entity - Permissible Requests. Covered Entity will not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy Rule if done by Covered Entity (except as permitted for Business Associate’s management/administration or legal responsibilities). - Minimum Necessary PHI. Covered Entity will disclose only the minimum PHI necessary for the intended purpose. - Permissions; Restrictions; Notices. Covered Entity warrants it has obtained and will obtain all required consents/authorizations, will notify Business Associate of any changes or revocations affecting use/disclosure, and will not impose additional restrictions limiting Business Associate’s permitted uses/disclosures unless Business Associate consents. - Notice of Privacy Practices. Covered Entity will not include any limitation in its notice of privacy practices that restricts Business Associate’s permitted uses/disclosures under this BA Agreement without Business Associate’s consent, except as required by law. 5. Term and Termination - Term. This BA Agreement becomes effective on the Covered Entity’s acceptance timestamp and continues until all PHI provided to Business Associate, or created or received on behalf of Covered Entity, is returned or destroyed—or if infeasible to return/destroy, protections extend to such retained PHI and further uses/disclosures are limited to the purposes making return or destruction infeasible (including backups or an ongoing investigation). - Termination for Breach. Upon knowledge of a material breach, the non-breaching party will provide an opportunity to cure within thirty (30) calendar days. If not cured, the non-breaching party may terminate (A) this BA Agreement; and (B) the Services Agreement provisions involving PHI, or report the breach to HHS if termination is infeasible. - Effect of Termination. Except as provided below, upon termination Business Associate will return or destroy all PHI received from Covered Entity, including PHI held by subcontractors/agents, and retain no copies. If returning or destroying PHI is infeasible, Business Associate will extend the protections of this BA Agreement to such PHI and limit further uses/disclosures to those purposes that make return or destruction infeasible until deletion is possible. Covered Entity acknowledges that (i) deletion from backup systems is infeasible; and (ii) temporary retention may be necessary during an ongoing investigation of a Security Incident or Breach. 6. Compliance with HIPAA Transaction Standards Business Associate will comply with applicable HIPAA standards (including 45 C.F.R. Part 162) for electronic transactions and ensure its services/products (and supporting agents/subcontractors) meet modifications to those standards by applicable compliance dates. 7. Miscellaneous - Regulatory References. References to HIPAA include subsequent amendments and superseding laws/regulations. - Amendment. The parties will take necessary action to amend any Services Agreement governed by this BA Agreement as needed to comply with HIPAA. - Survival. Obligations regarding PHI retention/protection that by their nature survive termination shall do so (e.g., Section 5(c)). - Interpretation. Any ambiguity shall be resolved to permit compliance with HIPAA. - Precedence; Incorporation; Governing Law; Venue. The terms of this BA Agreement are incorporated into any Services Agreement. In the event of conflict related to PHI, this BA Agreement controls; unmodified Services Agreement terms remain in effect. This BA Agreement is governed by the laws of the State of New York, exclusive of conflict-of-law rules. Any legal action or proceeding shall be brought exclusively in the state or federal courts located in New York County, New York. Nothing herein is legal advice. Covered Entity should consult counsel for any modifications. To obtain a copy of your acceptance record (timestamp, BAA version, and Covered Entity name), contact support.