This Business Associate Agreement (the “Agreement is a binding agreement between Casect, LLC (“Business Associate”) and Subscriber (hereinafter referred to as the “Covered Entity”).
WHEREAS, Covered Entity and Business Associate are parties to an End User License Agreement for the Platform (the “EULA”), pursuant to which Business Associate may provide functions or activities on behalf of the Covered Entity as to constitute a “business associate” of the Covered Entity, as defined in the Privacy and Security Standards; and
WHEREAS, Covered Entity and Business Associate do hereby desire to enter into this Agreement as required under the Privacy and Security Standards.
NOW, THEREFORE, Covered Entity and Business Associate do hereby contract and agree as follows:
1. Definitions
Capitalized terms used, but not otherwise defined, in this
Agreement shall have the same meanings as those terms in the
HIPAA Rules, except that the terms “Protected Health
Information” (“PHI”) and “Electronic Protected Health
Information” (“ePHI”) shall have the same meanings as set forth
in 45 C.F.R. § 160.103, limited to the information created or
received by Business Associate from or on behalf of Subscriber
in connection with the EULA set forth herein.
2. Privacy Obligations
Permitted Uses and Disclosures. Business Associate may use and disclose PHI as necessary to
perform the functions, activities, and services contemplated by
the EULA. Business Associate may also use or disclose PHI as
Required by Law.
Limit on Disclosures. Business Associate agrees to not use or disclose PHI other than
(i) as permitted or required by this Agreement; or (ii) as
Required by Law. Business Associate may not use or disclose PHI
in a manner that would violate Subpart E of 45 CFR Part 164 if
done by Subscriber, except that Business Associate may use or
disclose PHI (i) for the proper management and administration of
Business Associate or to carry out the legal responsibilities of
Business Associate, (provided that any disclosures for the
purposes described in clause (i) of this sentence are Required
By Law, or Business Associate obtains reasonable assurances from
the person to whom the information is disclosed that the
information will remain confidential and be used or further
disclosed only as Required By Law or for the purpose for which
it was disclosed to the person, and the person notifies the
Business Associate of any instances of which it is aware in
which the confidentiality of the information has been breached);
or (ii) to provide Data Aggregation services related to the
Health Care Operations of Subscriber.
Appropriate Safeguards. Business Associate agrees to use appropriate safeguards to
prevent use or disclosure of PHI other than as provided for by
this Agreement and to comply with applicable provisions of
Subpart C of 45 C.F.R. Part 164 with respect to ePHI.
Reporting of Security Incident, Improper Use or Disclosure and Breach. Business Associate agrees to report to Subscriber any Security
Incident and any use or disclosure of the PHI non-permitted by
this Agreement, of which Business Associate becomes aware. Such
report shall be made without unreasonable delay and no later
than sixty (60) days after Business Associate's discovery of the
Security Incident or non-permitted use or disclosure.
Notwithstanding the foregoing, the Parties acknowledge and agree
that this section constitutes notice by Business Associate to
Subscriber of the ongoing existence and occurrence of attempted
but Unsuccessful Security Incidents (as defined below) for which
no additional notice to Subscriber shall be required.
“Unsuccessful Security Incidents” shall include, but not be
limited to, pings and other broadcast attacks on Business
Associate's firewall, port scans, unsuccessful log-on attempts,
denials of service and any combination of the above, so long as
no such incident results in unauthorized access, use, or
disclosure of ePHI. In addition, Business Associate shall notify
the Subscriber in accordance with 45 C.F.R. § 164.410 of any
Breach of PHI that is Unsecured Protected Health Information.
Such notification shall be made without unreasonable delay and
no later than sixty (60) days after the Breach is discovered by
Business Associate. To the extent possible, Business Associate
shall also provide the applicable Subscriber such information
that the Subscriber is required to include in notification to
the individual under 45 C.F.R. § 164.404(c) at the time of the
notification, or as promptly thereafter as such information
becomes available.
Mitigations. Business Associate agrees to mitigate, to the extent
practicable, harmful effects from any non-permitted use or
disclosure of PHI by Business Associate.
Subcontractors. In accordance with 45 C.F.R. § 164.502(e)(1)(ii) and
164.308(b)(2), if applicable, Business Associate agrees to
ensure that any Subcontractor, that creates, receives,
maintains, or transmits PHI on behalf of Business Associate
agrees to the same restrictions and conditions that apply to
Business Associate with respect to such information.
Designated Record Set. To the extent it holds information in a Designated Record Set,
Business Associate agrees to make available and provide access
to, at the request of Subscriber, PHI in a Designated Record
Set, to Subscriber as necessary to satisfy Subscriber's
obligations under 45 C.F.R.. § 164.524. Business Associate shall
forward any requests for access that Business Associate receives
directly from an individual to Subscriber to fulfill. To the
extent it holds information in a Designated Record Set, Business
Associate agrees to incorporate any amendment of PHI in a
Designated Record Set, in accordance with 45 C.F.R. § 164.526 as
directed by Subscriber. Business Associate shall forward any
requests for amendment that Business Associate receives directly
from an individual to Subscriber to fulfill.
Accounting. With respect to disclosures by Business Associate, Business
Associate agrees to maintain and make available to Subscriber
the information required by 45 C.F.R. § 164.528 to permit
Subscriber to respond to a written request for an accounting of
disclosures of PHI in accordance with 45 C.F.R. § 164.528.
Business Associate shall forward any requests for accountings of
disclosures that Business Associate receives directly from an
individual to Subscriber to fulfill.
Government Access. Business Associate agrees to make its internal practices, books,
and records relating to the use and disclosure of PHI available
to the Secretary for purposes of the Secretary determining
compliance with the HIPAA Rules.
Compliance. To the extent Business Associate is to carry out any of
Subscriber's obligations under Subpart E of 45 C.F.R. Part 164,
Business Associate shall comply with the requirements of Subpart
E that apply to Subscriber in the performance of that
obligation.
Minimum Necessary. Business Associate agrees to make uses and disclosures and
requests for PHI consistent with the minimum necessary
requirements of the HIPAA Rules.
3. Obligations of Subscriber
Notification. Subscriber shall notify Business Associate of any limitation(s)
in its notice of privacy practices of Subscriber in issued
pursuant to 45 C.F.R. § 164.520, to the extent that such
limitation may affect Business Associate's use or disclosure of
PHI. Subscriber shall notify Business Associate of any changes
in, or revocation of, permission by an individual to use or
disclose PHI, to the extent that such changes may affect
Business Associate's use or disclosure of PHI. Subscriber shall
notify Business Associate of any restriction to the use or
disclosure of PHI that Subscriber has agreed to or is required
to abide by under 45 C.F.R. § 164.522, to the extent that such
restriction may affect Business Associate's use or disclosure of
PHI.
Obtaining Consents. Subscriber shall obtain all consents, permissions or authorizations, if any, required for Subscriber to disclose PHI to Business Associate and for Business Associate to use and disclose PHI as permitted herein.
Minimum Necessary. Subscriber agrees to limit its disclosure of PHI to Business
Associate to the minimum necessary to accomplish the intended
purpose of such disclosure.
Permissible Requests by Subscriber. Subscriber shall not request Business Associate to use or
disclose PHI in any manner that would not be permissible under
Subpart E of 45 C.F.R. Part 164 if done by Subscriber.
4. Term and Termination
Term. The term of this Agreement shall be effective as of the
Effective Date, and shall terminate upon the earlier to occur
of: (i) the termination of this Agreement for cause pursuant to
Section 4(b) below; or (ii) termination of the EULA.
Termination for Cause. Either Party may terminate this Agreement due to a material
breach of this Agreement by one Party upon giving the other
Party thirty (30) days prior written notice, provided the
breaching Party does not cure the breach prior to the effective
date of termination.
Effect of Termination. Upon the termination of this Agreement for any reason, Business
Associate shall return or destroy all PHI and require its
Subcontractors to do the same. Notwithstanding the foregoing, in
the event that Business Associate determines that returning or
destroying the PHI is infeasible, Business Associate shall
extend the protections of this Agreement to such PHI and limit
further uses and disclosures of such PHI to those purposes that
make the return or destruction infeasible for as long as
Business Associate maintains such PHI. The provisions of this
Section 4(c) shall survive the termination or expiration of this
Agreement.
5. Limitation of Liability
IN NO EVENT SHALL EITHER PARTY BE LIABLE TO THE OTHER PARTY OR
ITS AFFILIATES OR THEIR RESPECTIVE OFFICERS, DIRECTORS,
EMPLOYEES, AND AGENTS FOR LOSS OR DAMAGE OF LOST PROFITS OR
REVENUES OR SIMILAR ECONOMIC LOSS OR FOR ANY CONSEQUENTIAL,
SPECIAL, INCIDENTAL, INDIRECT OR PUNITIVE DAMAGES, WHETHER IN
CONTRACT, TORT OR OTHERWISE, ARISING OUT OF OR IN CONNECTION
WITH THIS AGREEMENT, EVEN IF SUCH PARTY HAS BEEN ADVISED OF SUCH
CLAIM.
6. EULA Provisions
All of the provisions contained in Sections 11 and 15 of the
EULA, including but not limited to dispute resolution and
contract construction, shall apply with equal force and effect
to this Business Associate Agreement and the rights and
obligations of Service Provider and Covered Entity.