Printable Version
Exhibit C – Sub-Business Associate Agreement
Last updated August 15, 2024
Exhibit C – Sub-Business Associate Agreement
Exhibit C – Sub-Business Associate Agreement
THIS SUB-BUSINESS ASSOCIATE AGREEMENT (this “BA Agreement”) is entered into on the Agreement Date, as set forth in the Client Service Agreement by and between the Parties (the “Effective Date”), between the Client, as set forth in the Client Service Agreement (hereinafter referred to as “Business Associate”), and PRN SOFTWARE LLC, a Massachusetts limited liability company doing business as DoseSpot (hereinafter referred to as “Vendor”) (individually a “Party” and collectively the “Parties”).
This BA Agreement is incorporated into the Client Service Agreement by and between the Parties, as such BA Agreement may be amended from time to time.
WHEREAS, BUSINESS ASSOCIATE performs services on behalf of covered entities subject to the federal Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. §§ 1320d – 1320d-8 (“HIPAA”), as amended from time to time, and is required to safeguard individually identifiable health information of such covered entities that BUSINESS ASSOCIATE uses, discloses, maintains, or otherwise accesses (hereinafter “protected health information” or “PHI”) on behalf of such covered entities in accordance with the requirements HIPAA establishes and also the requirements set forth in the Health Information Technology Act for Economic and Clinical Health Act and any regulations promulgated thereunder (the “HITECH Act”);
WHEREAS, BUSINESS ASSOCIATE desires to delegate to VENDOR certain tasks, as identified herein, on behalf of BUSINESS ASSOCIATE which may involve the use or disclosure of PHI created or received by BUSINESS ASSOCIATE and/or other business associates of the covered entities; and
WHEREAS, VENDOR desires to perform the designated services on behalf of BUSINESS ASSOCIATE.
NOW THEREFORE, for and in consideration of the mutual premises, conditions and covenants herein contained, the Parties agree as follows:
1. Definitions
(a) Regulations. Terms used, but not otherwise defined, in this BA Agreement shall have the same meaning as those terms in the federal Standards for Privacy of Individually Identifiable Health Information, 45 C.F.R. Parts 160 and 164 (the “Privacy Rule”) and the federal Security Standards, 45 C.F.R. Parts 160 and 164 (the “Security Rule”), and Breach Notification Standards, 45 C.F.R. Parts 160 and 164, as they may be amended from time to time (collectively, the “HIPAA Rules”).
(b) The following terms used in this BA Agreement shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Individually Identifiable Health Information, Minimum Necessary, Notice of Privacy Practices, Protected Health Information, Required by Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use.
2. Specific Definitions
(a) Vendor. “Vendor” shall generally have the same meaning as the term “subcontractor” at 45 C.F.R. § 160.103 and in reference to the Party to this BA Agreement, shall mean PRN Software LLC.
(b) Business Associate. “Business Associate”
shall generally have the same meaning as the term “business associate” at 45 C.F.R. § 160.130 and in reference to the Party to this BA Agreement, shall have the meaning set forth in the recitals.
(c) “Protected Health Information” or “PHI” as used in this BA Agreement means (subject to the definition at 45 C.F.R. § 160.103) Protected Health Information that Vendor receives from Business Associate or that Vendor creates or receives on behalf of Business Associate. This BA Agreement is intended to comply with the requirements for business associate agreements under the Privacy Rule and is to be construed to achieve compliance with those requirements. References to the specific provision of the Privacy Rule and/or Security Rule are provided, as appropriate.
3. Obligations of Vendor
(a) Vendor agrees not to use or disclose PHI other than as permitted or required by this BA Agreement or as Required by Law. Vendor will comply with the provisions of this BA Agreement related to the privacy, security and breach notification of PHI and all present and future provisions of the HIPAA Rules that are applicable to Business Associate and/or Vendor. To the extent that Vendor is to carry out any of a covered entity’s obligations under the Privacy Rule, Vendor shall comply with the requirements of the Privacy Rule that apply to such covered entity in the performance of such obligations.
(b) Vendor agrees to use appropriate safeguards to prevent use or disclosure of the PHI other than as provided for by this BA Agreement and comply with the Security Rule with respect to electronic PHI.
(c) Vendor agrees to mitigate, to the extent practicable, any harmful effect that is known to Vendor of a use or disclosure of PHI by Vendor in violation of the requirements of this BA Agreement.
(d) Vendor agrees to report promptly to Business Associate any use or disclosure of the PHI not provided for by this BA Agreement or Security Incident of which it becomes aware. This provision applies to Breaches of Unsecured PHI, as those terms are defined at 45 C.F.R. § 164.402. Vendor’s notice shall include the applicable elements as set forth at 45 C.F.R. § 164.410(c). Notwithstanding the foregoing, notice is hereby deemed given for Unsuccessful Security Incidents and no further notice of such Unsuccessful Security Incidents shall be required or given. For purposes of this section, “Unsuccessful Security Incidents” means, without limitation, pings and other broadcast attacks of Vendor’s firewall, port scans, unsuccessful logon attempts, and any combination of the above, as long as no incident results in unauthorized access, acquisition, use or disclosure of PHI.
(e) In accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, Vendor agrees to enter into written agreements with any agent, including a subcontractor, that creates, receives, maintains, or transmits PHI on behalf of Vendor, and the terms of such agreements shall incorporate restrictions and conditions that are no less restrictive than those that apply through this BA Agreement to Vendor with respect to such information.
(f) Vendor agrees to provide access, at the request of Business Associate, and in a timely manner, to PHI in a Designated Record Set, to Business Associate or, as directed by Business Associate, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524.
(g) Vendor agrees to make any amendment(s) to PHI in a Designated Record Set that Business Associate directs or agrees in order to meet the requirements pursuant to 45 C.F.R. § 164.526 at the request of Business Associate or an Individual, and in a timely manner.
(h) Vendor agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created or received by Vendor on behalf of, Business Associate available to the Secretary, in a timely manner, for purposes of the Secretary determining Business Associate’s or an applicable covered entity’s compliance with the Privacy Rule.
(i) Vendor agrees to document such disclosures of PHI and information related to such disclosures as would be required for Business Associate to respond to a request by Business Associate or, as directed by Business Associate, by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528.
(j) Vendor agrees to provide Business Associate, in a timely manner, information collected in accordance with Section 3(i) of this BA Agreement, to permit Business Associate to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528.
4. Permitted Use and Disclosures by Vendor
(a) Except as otherwise prohibited by law or limited in this BA Agreement, Vendor may use or disclose PHI to perform functions, activities, or services for, or on behalf of, Business Associate as specified in this BA Agreement or the underlying client service agreement and order form between the Parties, provided that such use or disclosure would not violate the HIPAA Rules if done by Business Associate or the minimum necessary policies and procedures of the Business Associate.
(b) In addition to the purposes set forth in subparagraph (a), Vendor may use or disclose PHI provided or made available from Business Associate for the proper management and administration of Vendor or to carry out legal responsibilities of Vendor. Notwithstanding the foregoing, such a use and disclosure is permitted provided that:
(1) the disclosures are Required by Law, or
(2) Vendor obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and the person notifies Vendor of any instances of which it is aware in which the confidentiality of the information has been breached.
(c) Vendor may use PHI to provide Data Aggregation services to Business Associate as permitted by 45 C.F.R. § 164.504(e) (2)(i)(B).
(d) Vendor may de-identify PHI in accordance with 45 C.F.R. § 164.514.
5. Obligations of Business Associate
(a) Business Associate shall notify Vendor of any limitation(s) in covered entity’s Notice of Privacy Practices in accordance with 45 C.F.R. § 164.520, to the extent that such limitation may affect Vendor’s use or disclosure of PHI.
(b) Business Associate shall notify Vendor of any changes in, or revocation of, permission by Individual to use or disclose PHI, to the extent that such changes may affect Vendor’s use or disclosure of PHI.
(c) Business Associate shall notify Vendor of any restriction to the use or disclosure of PHI pursuant to 45 C.F.R. § 164.522, to the extent that such restriction may affect Vendor’s use or disclosure of PHI.
(d) Business Associate shall not request Vendor to use or disclose PHI in any manner that would not be permissible under the Privacy Rule if done by Business Associate.
(e) To the extent required under the HIPAA Rules, Business Associate will request from Vendor only the minimum PHI necessary for Vendor to perform or fulfill a specific function required or permitted hereunder.
(f) Business Associate represents and warrants that any and all consents, authorizations, or other permissions necessary under HIPAA for Vendor to perform its obligations and provide services to the Business Associate under the Client Services Agreement or the this Sub-BA Agreement have been properly secured.
(g) Business Associate may not transmit PHI subject to a restriction, to the extent that restriction would affect Vendor’s use/disclosure of the PHI, unless legally required to do so, without prior written permission by Vendor.
6. Term and Termination of Agreement
(a) Term. The Term of this BA Agreement shall commence as of the Effective Date and shall terminate when all of the PHI created, received, maintained or transmitted by Vendor on behalf of Business Associate is destroyed or returned to Business Associate, or, if it is infeasible to return or destroy PHI, protections are extended to such information, in accordance with the termination provisions in this Section. This provision will survive the expiration or termination of this BA Agreement for any reason.
(b) Termination for Cause. Notwithstanding any other provisions of this BA Agreement, upon a Party’s knowledge of a material breach by the other Party of the terms of this BA Agreement, the non-breaching Party shall either:
(1) provide an opportunity for the breaching Party to cure the breach. The non-breaching Party may terminate this BA Agreement if the breaching Party does not cure the breach or end the violation within a reasonable time period as specified by the non-breaching Party; or
(2) immediately terminate this BA Agreement if cure is not possible.
(c) Effect of Termination.
(1) Except as required by law or the Surescripts Requirements, or as provided in paragraph (2) of this Section, upon termination of this BA Agreement, for any reason, Vendor shall return or destroy all PHI created, received, maintained, or transmitted from or on behalf of Business Associate. Vendor shall not retain copies of any PHI. This provision shall also apply to PHI that is in the possession of subcontractors or agents of Vendor. This provision will survive the expiration or termination of this BA Agreement.
(2) In the event that Vendor determines that returning or destroying the PHI is not feasible, Vendor shall notify Business Associate of this determination and its reasons. If Business Associate agrees that return or destruction of PHI is not feasible, Vendor shall extend the protections of this BA Agreement to such PHI and limit further uses or disclosures to those purposes that make the return or destruction infeasible, for so long as Vendor maintains such PHI. This provision shall also apply to PHI that is in the possession of subcontractors or agents of Vendor. This provision will survive the expiration or termination of this BA Agreement.
7. Miscellaneous
(a) Regulatory References. A reference in this BA Agreement to a section in the HIPAA Rules means the section as in effect or as amended.
(b) Amendment. The Parties agree to take such action as is necessary to amend this BA Agreement from time to time as is necessary for the Parties to comply with the requirements of HIPAA and the HIPAA Rules.
(c) Third Party Beneficiaries. This BA Agreement has been made and is made solely for the benefit of the Parties named as Parties to the agreement and their respective successors and permitted assigns. Nothing in this BA Agreement is intended to confer any rights or remedies under or by reason of this BA Agreement on any persons other than the Parties to it and their respective successors and permitted assigns.
(d) Notice. Any notice, approval, request, authorization, direction or other communication under this BA Agreement will be given in writing and will be deemed to have been delivered and given for all purposes (i) on personal delivery to the Party to be notified; (ii) when sent, if sent by electronic mail or facsimile during normal business hours of the recipient, and if not sent during normal business hours, then on the recipient’s next business day; (iii) five (5) days after having been sent by registered or certified mail, return receipt requested, postage prepaid; or (iv) one (1) business day after deposit with a nationally recognized overnight courier, freight prepaid, specifying next business day delivery, with written verification of receipt.
(e) Waiver by Accepting Varied Performance. No waiver of any provision or consent to any action shall constitute a waiver of any other provision or consent to any other action, whether or not similar. No waiver or consent shall constitute a continuing waiver or consent or commit a Party to provide a waiver in the future except to the extent specifically set forth in writing. Any waiver given by a Party shall be null and void if the Party requesting such waiver has not provided a full and complete disclosure of all material facts relevant to the waiver requested.
(f) Independent Contractors. The Parties to this BA Agreement are independent contractors. Neither Party is an agent, representative or employee of the other Party. Neither Party will have any right, power or authority to enter into any agreement for or on behalf of, or incur any obligation or liability of, or to otherwise bind, the other Party. This BA Agreement will not be interpreted or construed to create an association, agency, joint venture or partnership between the Parties or to impose any liability attributable to such a relationship upon either Party.
(g) Amendments and Modifications. No amendment, modification, or supplement to this BA Agreement shall be binding on any of the Parties unless it is in writing and signed by the Parties in interest at the time of the modification.
(h) Integration. This BA Agreement as well as agreements and other documents referred to in this BA Agreement constitute the entire agreement between the Parties with regard to the subject matter hereof and thereof. This BA Agreement supersedes all previous agreements between or among the Parties. There are no agreements, representations, or warranties between or among the Parties other than those set forth in this BA Agreement or the documents and agreements referred to in this BA Agreement.
(i) Severability. If any term or provision of this BA Agreement is determined to be illegal, unenforceable, or invalid in whole or in part for any reason, such illegal, unenforceable, or invalid provisions or part thereof shall be stricken from this BA Agreement, and such provision shall not affect the legality, enforceability, or validity of the remainder of this BA Agreement. If any provision or part thereof of this BA Agreement is stricken in accordance with the provisions of this Section, then this stricken provision shall be replaced, to the extent possible, with a legal, enforceable, and valid provision that is as similar in tenor to the stricken provision as is legally possible.
(j) Choice of Law and Forum Selection. To the extent not preempted by HIPAA or the HIPAA Rules, the laws of the Commonwealth of Massachusetts shall govern this BA Agreement. The Parties agree that all actions or proceedings arising in connection with this BA Agreement shall be tried and litigated exclusively in the State and Federal courts located in Boston, Massachusetts.
(k) Supersedure. In the event that any term or provision of any agreement between the Parties conflicts with a term or provision of this BA Agreement, this BA Agreement shall control.
Call DoseSpot with any questions (888) 847-6814 or email: sales@dosespot.com