Exhibit C – Business Associate Agreement
Last updated May 15, 2023
Exhibit C – Business Associate Agreement
Exhibit C – Business Associate Agreement
THIS BUSINESS ASSOCIATE AGREEMENT (this “BA Agreement”) is entered into on the Agreement Date, as set forth in the Client Service Agreement by and between the Parties (the “Effective Date”), between the Client, as set forth in the Client Service Agreement (hereinafter referred to as “Covered Entity”), and PRN SOFTWARE LLC, a Massachusetts limited liability company doing business as DoseSpot (hereinafter referred to as “Business Associate”) (individually a “Party” and collectively the “Parties”).
This BA Agreement is incorporated into the Client Service Agreement by and between the Parties, as such BA Agreement may be amended from time to time.
WHEREAS,COVERED ENTITY is subject to the federal Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. §§ 1320d – 1320d-8 (“HIPAA”), as amended from time to time, and is required to safeguard individually identifiable health information that it uses, discloses, maintains, or otherwise accesses (hereinafter “protected health information” or “PHI”) in accordance with the requirements HIPAA establishes and also the requirements set forth in the Health Information Technology Act for Economic and Clinical Health Act and any regulations promulgated thereunder (the “HITECH Act”);
WHEREAS, COVERED ENTITY desires to delegate to BUSINESS ASSOCIATE certain tasks, as identified herein, on behalf of COVERED ENTITY which may involve the use or disclosure of PHI created or received by COVERED ENTITY and/or other business associates of the COVERED ENTITY; and WHEREAS, BUSINESS ASSOCIATE desires to perform the designated services on behalf of COVERED ENTITY.
NOW THEREFORE, for and in consideration of the mutual premises, conditions and covenants herein contained, the Parties agree as follows:
(a) Regulations. Terms used, but not otherwise defined, in this BA Agreement shall have the same meaning as those terms in the federal Standards for Privacy of Individually Identifiable Health Information, 45 C.F.R. Parts 160 and 164 (the “Privacy Rule”) and the federal Security Standards, 45 C.F.R. Parts 160 and 164 (the “Security Rule”), and Breach Notification Standards, 45 C.F.R. Parts 160 and 164, as they may be amended from time to time (collectively, the “HIPAA Rules”).
(b) The following terms used in this BA Agreement shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Individually Identifiable Health Information, Minimum Necessary, Notice of Privacy Practices, Protected Health Information, Required by Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use.
2. Specific Definitions
(a) Business Associate. “Business Associate” shall generally have the same meaning as the term “business associate” at 45 C.F.R. § 160.103 and in reference to the Party to this BA Agreement, shall mean PRN Software LLC.
(b) Covered Entity. “Covered Entity” shall generally have the same meaning as the term “covered entity” at 45 C.F.R. § 160.130 and in reference to the Party to this BA Agreement, shall have the meaning set forth in the recitals.
(c) “Protected Health Information” or “PHI” as used in this BA Agreement means (subject to the definition at 45 C.F.R. § 160.103) Protected Health Information that Business Associate receives from Covered Entity or that Business Associate creates or receives on behalf of Covered Entity. This BA Agreement is intended to comply with the requirements for business associate agreements under the Privacy Rule and is to be construed to achieve compliance with those requirements. References to the specific provision of the Privacy Rule and/or Security Rule are provided, as appropriate.
3. Obligations of Business Associate
(a) Business Associate agrees not to use or disclose PHI other than as permitted or required by this BA Agreement or as Required by Law. Business Associate will comply with the provisions of this BA Agreement related to the privacy, security and breach notification of PHI and all present and future provisions of the HIPAA Rules that are applicable to Covered Entity and/or Business Associate. To the extent that Business Associate is to carry out any of Covered Entity’s obligations under the Privacy Rule, Business Associate shall comply with the requirements of the Privacy Rule that apply to such covered entity in the performance of such obligations.
(b) Business Associate agrees to use appropriate safeguards to prevent use or disclosure of the PHI other than as provided for by this BA Agreement and comply with the Security Rule with respect to electronic PHI.
(c) Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this BA Agreement.
(d) Business Associate agrees to report promptly to Covered Entity any use or disclosure of the PHI not provided for by this BA Agreement or Security Incident of which it becomes aware. This provision applies to Breaches of Unsecured PHI, as those terms are defined at 45 C.F.R. § 164.402. Business Associate’s notice shall include the applicable elements as set forth at 45 C.F.R. § 164.410(c). Notwithstanding the foregoing, notice is hereby deemed given for Unsuccessful Security Incidents and no further notice of such Unsuccessful Security Incidents shall be required or given. For purposes of this section, “Unsuccessful Security Incidents” means, without limitation, pings and other broadcast attacks of Business Associate’s firewall, port scans, unsuccessful logon attempts, and any combination of the above, as long as no incident results in unauthorized access, acquisition, use or disclosure of PHI.
(e) In accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, Business Associate agrees to enter into written agreements with any agent, including a subcontractor, that creates, receives, maintains, or transmits PHI on behalf of Business Associate, and the terms of such agreements shall incorporate restrictions and conditions that are no less restrictive than those that apply through this BA Agreement to Business Associate with respect to such information.
(f) Business Associate agrees to provide access, at the request of Covered Entity, and in a timely manner, to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524.
(g) Business Associate agrees to make any amendment(s) to PHI in a Designated Record Set that Covered Entity directs or agrees in order to meet the requirements pursuant to 45 C.F.R. § 164.526 at the request of Covered Entity or an Individual, and in a timely manner.
(h) Business Associate agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Covered Entity available to the Secretary, in a timely manner, for purposes of the Secretary determining Covered Entity’s compliance with the Privacy Rule.
(i) Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by Covered Entity or, as directed by Covered Entity, by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528.
(j) Business Associate agrees to provide Covered Entity, in a timely manner, information collected in accordance with Section 3(i) of this BA Agreement, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528.
4. Permitted Use and Disclosures by Business Associate
(a) Except as otherwise prohibited by law or limited in this BA Agreement, Business Associate may use or disclose PHI to perform functions, activities, or services for, or on behalf of, Covered Entity as specified in this BA Agreement or the underlying client service agreement and order form between the Parties, provided that such use or disclosure would not violate the HIPAA Rules if done by Covered Entity or the minimum necessary policies and procedures of the Covered Entity.
(b) In addition to the purposes set forth in subparagraph (a), Business Associate may use or disclose PHI provided or made available from Covered Entity for the proper management and administration of Business Associate or to carry out legal responsibilities of Business Associate. Notwithstanding the foregoing, such a use and disclosure is permitted provided that:
(1) the disclosures are Required by Law, or
(2) Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
(c) Business Associate may use PHI to provide Data Aggregation services to Covered Entity as permitted by 45 C.F.R. § 164.504(e) (2)(i)(B).
(d) Business Associate may de-identify PHI in accordance with 45 C.F.R. § 164.514.
5. Obligations of Covered Entity
(a) Covered Entity shall notify Business Associate of any limitation(s) in Covered Entity’s Notice of Privacy Practices in accordance with 45 C.F.R. § 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI.
(b) Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by Individual to use or disclose PHI, to the extent that such changes may affect Business Associate’s use or disclosure of PHI.
(c) Covered Entity shall notify Business Associate of any restriction to the use or disclosure of PHI pursuant to 45 C.F.R. § 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.
(d) Except as set forth in Section 4(b) and Section 4(c) of this BA Agreement, Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy Rule if done by Covered Entity.
(e) To the extent required under the HIPAA Rules, Covered Entity will request from Business Associate only the minimum PHI necessary for Business Associate to perform or fulfil a specific function required or permitted hereunder.
(f) Covered Entity represents and warrants that it has the right and authority to disclose PHI to Business Associate for Business Associate to perform its obligations and provide services to Covered Entity.
6. Term and Termination of Agreement
(a) Term. The Term of this BA Agreement shall commence as of the Effective Date and shall terminate when all of the PHI created, received, maintained or transmitted by Business Associate on behalf of Covered Entity is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy PHI, protections are extended to such information, in accordance with the termination provisions in this Section. This provision will survive the expiration or termination of this BA Agreement for any reason.
(b) Termination for Cause. Notwithstanding any other provisions of this BA Agreement, upon a Party’s knowledge of a material breach by the other Party of the terms of this BA Agreement, the non-breaching Party shall either:
(1) provide an opportunity for the breaching Party to cure the breach. The non-breaching Party may terminate this BA Agreement if the breaching Party does not cure the breach or end the violation within a reasonable time period as specified by the non-breaching Party; or
(2) immediately terminate this BA Agreement if cure is not possible.
(c) Effect of Termination.
(1) Except as provided in paragraph (2) of this Section, upon termination of this BA Agreement, for any reason, Business Associate shall return or destroy all PHI created, received, maintained, or transmitted from or on behalf of Covered Entity. Business Associate shall not retain copies of any PHI. This provision shall also apply to PHI that is in the possession of subcontractors or agents of Business Associate. This provision will survive the expiration or termination of this BA Agreement.
(2) In the event that Business Associate determines that returning or destroying the PHI is not feasible, Business Associate shall notify Covered Entity of this determination and its reasons. If Covered Entity agrees that return or destruction of PHI is not feasible, Business Associate shall extend the protections of this BA Agreement to such PHI and limit further uses or disclosures to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI. This provision shall also apply to PHI that is in the possession of subcontractors or agents of Business Associate. This provision will survive the expiration or termination of this BA Agreement.
(a) Regulatory References. A reference in this BA Agreement to a section in the HIPAA Rules means the section as in effect or as amended.
(b) Amendment. The Parties agree to take such action as is necessary to amend this BA Agreement from time to time as is necessary for the Parties to comply with the requirements of HIPAA and the HIPAA Rules.
(c) Third Party Beneficiaries. This BA Agreement has been made and is made solely for the benefit of the Parties named as Parties to the agreement and their respective successors and permitted assigns. Nothing in this BA Agreement is intended to confer any rights or remedies under or by reason of this BA Agreement on any persons other than the Parties to it and their respective successors and permitted assigns.
(d) Notice. Any notice, approval, request, authorization, direction or other communication under this BA Agreement will be given in writing and will be deemed to have been delivered and given for all purposes (i) on personal delivery to the Party to be notified; (ii) when sent, if sent by electronic mail or facsimile during normal business hours of the recipient, and if not sent during normal business hours, then on the recipient’s next business day; (iii) five (5) days after having been sent by registered or certified mail, return receipt requested, postage prepaid; or (iv) one (1) business day after deposit with a nationally recognized overnight courier, freight prepaid, specifying next business day delivery, with written verification of receipt.
(e) Waiver by Accepting Varied Performance. No waiver of any provision or consent to any action shall constitute a waiver of any other provision or consent to any other action, whether or not similar. No waiver or consent shall constitute a continuing waiver or consent or commit a Party to provide a waiver in the future except to the extent specifically set forth in writing. Any waiver given by a Party shall be null and void if the Party requesting such waiver has not provided a full and complete disclosure of all material facts relevant to the waiver requested.
(f) Independent Contractors. The Parties to this BA Agreement are independent contractors. Neither Party is an agent, representative or employee of the other Party. Neither Party will have any right, power or authority to enter into any agreement for or on behalf of, or incur any obligation or liability of, or to otherwise bind, the other Party. This BA Agreement will not be interpreted or construed to create an association, agency, joint venture or partnership between the Parties or to impose any liability attributable to such a relationship upon either Party.
(g) Amendments and Modifications. No amendment, modification, or supplement to this BA Agreement shall be binding on any of the Parties unless it is in writing and signed by the Parties in interest at the time of the modification.
(h) Integration. This BA Agreement as well as agreements and other documents referred to in this BA Agreement constitute the entire agreement between the Parties with regard to the subject matter hereof and thereof. This BA Agreement supersedes all previous agreements between or among the Parties. There are no agreements, representations, or warranties between or among the Parties other than those set forth in this BA Agreement or the documents and agreements referred to in this BA Agreement.
(i) Severability. If any term or provision of this BA Agreement is determined to be illegal, unenforceable, or invalid in whole or in part for any reason, such illegal, unenforceable, or invalid provisions or part thereof shall be stricken from this BA Agreement, and such provision shall not affect the legality, enforceability, or validity of the remainder of this BA Agreement. If any provision or part thereof of this BA Agreement is stricken in accordance with the provisions of this Section, then this stricken provision shall be replaced, to the extent possible, with a legal, enforceable, and valid provision that is as similar in tenor to the stricken provision as is legally possible.
(j) Choice of Law and Forum Selection. To the extent not preempted by HIPAA or the HIPAA Rules, the laws of the Commonwealth of Massachusetts shall govern this BA Agreement. The Parties agree that all actions or proceedings arising in connection with this BA Agreement shall be tried and litigated exclusively in the State and Federal courts located in Boston, Massachusetts.
(k) Supersedure. In the event that any term or provision of any agreement between the Parties conflicts with a term or provision of this BA Agreement, this BA Agreement shall control.
Call DoseSpot with any questions (888) 847-6814 or email: firstname.lastname@example.org