Business Associate Agreement
BUSINESS ASSOCIATE AGREEMENT
This BUSINESS ASSOCIATE AGREEMENT (the “Agreement” or “BAA”) is made and entered into between the entity identified as “Covered Entity” on the Order Form executed between the Parties (the “Order Form”) and Ascend Solutions, LLC, a Colorado limited liability company (“Business Associate”). This BAA becomes effective on the date the Order Form is signed by Covered Entity (the “Effective Date”). Each party may be referred to individually as a “Party” and collectively as the “Parties.”
WHEREAS, Business Associate provides access to and use of the Practice Data Solutions (“PDS”) software-as-a-service platform and related professional services as detailed in the Terms of Service in effect between the Parties (collectively, the “Services”), and where the Covered Entity’s use of the Services involves Protected Health Information, that use may result in the creation, receipt, maintenance, or transmission of Protected Health Information by Business Associate on behalf of Covered Entity in support of the Covered Entity’s treatment, payment, and health care operations;
WHEREAS, all terms and conditions of the Terms of Service in effect between the Parties remain in full force and effect;
WHEREAS, through the Terms of Service, the Parties have a relationship that qualifies as a business associate relationship under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Standards for Privacy of Individually Identifiable Health Information at 45 CFR Part 160, Subpart A, and 45 CFR 164, Subpart E (collectively, the “Privacy Rule”), the Security Standards for the Protection of Electronic Protected Health Information at 45 CFR Part 164 Subpart C (the “Security Rule”), and the Standards for Notification in the Case of Breach of Unsecured Protected Health Information at 45 CFR Part 164 Subpart D (the “Breach Notification Rule”); and
WHEREAS, the Parties desire to enter into this Agreement to comply with HIPAA, the Privacy Rule, the Security Rule, and the Breach Notification Rule and to set forth the various business associate responsibilities of Business Associate as more particularly set forth herein.
NOW, THEREFORE, in consideration of the foregoing recitals, which are incorporated herein as covenants, and the mutual promises herein made and exchanged, and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties agree as follows:
Definitions.
a. Breach. “Breach” shall have the same meaning as the term “breach” in 45 CFR 164.402.
b. Breach Notification Rule. “Breach Notification Rule” shall mean the Standards and Implementation Specifications for Notification of Breaches of Unsecured Protected Health Information under 45 CFR Parts 160 and 164, subparts A and D.
c. Electronic Protected Health Information. “Electronic Protected Health Information” shall have the same meaning as the term “electronic protected health information” in 45 CFR 160.103.
d. Electronic Transactions Rule. “Electronic Transactions Rule” shall mean the final regulations issued by HHS concerning standard transactions and code sets under 45 CFR Parts 160 and 162.
e. Enforcement Rule. “Enforcement Rule” shall mean the Enforcement Provisions set forth in 45 CFR Part 160.
f. Genetic Information. “Genetic Information” shall have the same meaning as the term “genetic information” in 45 CFR 160.103.
g. HHS. “HHS” shall mean the Department of Health and Human Services.
h. HIPAA Rules. “HIPAA Rules” shall mean the Privacy Rule, Security Rule, Breach Notification Rule, and Enforcement Rule.
i. HITECH Act. “HITECH Act” shall mean the Health Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009.
j. Privacy Rule. “Privacy Rule” shall mean the Privacy Standards and Implementation Specifications at 45 CFR Parts 160 and 164, subparts A and E.
k. Protected Health Information. “Protected Health Information” or “PHI” shall have the same meaning as the term “protected health information” in 45 CFR 160.103, limited to the information created, received, maintained, or transmitted by Business Associate from or on behalf of Covered Entity pursuant to this Agreement.
l. Required by Law. “Required by Law” shall have the same meaning as the term “required by law” in 45 CFR 164.103.
m. Security Incident. “Security Incident” shall have the same meaning as the term “security incident” in 45 CFR 164.304.
n. Security Rule. “Security Rule” shall mean the Security Standards and Implementation Specifications at 45 CFR Parts 160 and 164, subparts A and C.
o. Transaction. “Transaction” shall have the meaning given the term “transaction” in 45 CFR 160.103.
p. Unsecured Protected Health Information. “Unsecured Protected Health Information” shall have the meaning given the term “unsecured protected health information” in 45 CFR 164.402.
1. Business Associate Provisions
1.1. Security and Confidentiality. If Business Associate receives any Protected Health Information as defined in 45 CFR 160.103 from Covered Entity, or creates, receives, maintains or transmits any Protected Health Information on behalf of Covered Entity (collectively, “Protected Health Information” or “PHI”), Business Associate shall maintain the security and confidentiality of such PHI in accordance with all applicable laws and regulations, including but not limited to HIPAA, the Privacy Rule, the Security Rule, the Breach Notification Rule and any other regulations promulgated under HIPAA, and as otherwise “Required by Law” as such term is used in 45 CFR 164.103. Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in 45 CFR 160.103, 164.103, 164.402, and 164.501.
1.2. Limitation on Use and Disclosure of PHI. Business Associate shall not use or disclose PHI otherwise than (i) to provide Services, directly and through its subcontractors as provided for herein, as expressly permitted by this Agreement and the Terms of Service, (ii) to satisfy its obligations under this Agreement and the Terms of Service, or (iii) to provide “Data Aggregation Services” (as defined by 45 CFR 164.501) to the Covered Entity as permitted by 45 CFR 164.504, or (iv) as Required by Law. Except as otherwise limited by this Agreement and provided such use or disclosure would not violate the Privacy Rule if done by Covered Entity, Business Associate may use or disclose PHI to provide Services for or on behalf of Covered Entity. Business Associate hereby acknowledges and agrees that as between Business Associate and Covered Entity, all PHI shall be and remain the sole property of Covered Entity, including any and all forms thereof developed by Business Associate in the course of fulfillment of its obligations hereunder. Business Associate shall not disclose PHI to a health plan for payment or health care operations purposes if the patient has requested this special restriction and has paid out of pocket in full for the health care item or service to which the PHI relates, and Covered Entity has notified Business Associate of the same with respect to the applicable patient prior to any such disclosure. Business Associate shall not receive any remuneration, direct or indirect, in exchange for PHI (in its identifiable form), except with the prior written consent of Covered Entity and as permitted under applicable law. Nothing in this provision shall be construed to prohibit payment to Business Associate by Covered Entity for Services provided pursuant to the Terms of Service. Business Associate shall not use or disclose PHI for fundraising or marketing purposes, except as specifically authorized in writing by Covered Entity and only to the extent permitted by HIPAA and the Privacy Rule.
1.2A. Permitted Uses for Management and Administration. Business Associate may use PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate, as permitted under 45 CFR 164.504(e)(4). Business Associate may disclose PHI for such purposes if the disclosure is Required by Law, or if Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidentially and used or further disclosed only as Required by Law or for the purpose for which it was disclosed, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
1.3. Safeguards. Business Associate shall implement, maintain and use appropriate safeguards to prevent the use or disclosure of PHI other than as permitted by this Agreement, including administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of Electronic Protected Health Information as required in Subpart C of 45 CFR Part 164 and defined in 45 CFR 160.103 that Business Associate creates, receives, maintains, or transmits on behalf of Covered Entity. Business Associate shall develop policies and procedures and implement requirements of the Privacy, Security, and Breach Notification Rules as applicable to Business Associate and as required by the HIPAA Omnibus Final Rules.
1.4. Reporting of Violations. Business Associate shall, within thirty (30) days of discovery, report to Covered Entity (i) any use or disclosure of PHI not provided for and permitted by this Agreement and the Privacy Rule; (ii) any Security Incident involving Electronic Protected Health Information; and (iii) any Breach of Unsecured Protected Health Information of which it becomes aware. Such notification shall include the identity of the individual who is the subject of the Breach, together with any other information Covered Entity determines necessary. Business Associate shall mitigate, to the extent practicable, any harmful effect of any use or disclosure of PHI by Business Associate in violation of this Agreement.
Notwithstanding the foregoing, the Parties acknowledge that the definition of “Security Incident” under 45 CFR 164.304 includes unsuccessful attempts such as pings, port scans, unsuccessful log-on attempts, and other activity that does not result in unauthorized access to, use of, or disclosure of Electronic Protected Health Information. Business Associate shall report such unsuccessful security incidents on a periodic, aggregate basis (no less than quarterly) rather than within the reporting window above, unless such incidents are reasonably believed to be part of a pattern of targeted activity against the systems containing PHI of Covered Entity.
Business Associate shall indemnify, defend, and hold harmless Covered Entity from and against any and all claims, suits, demands, judgments, losses, costs, fines, penalties, damages, liabilities, and expenses arising from any breach of this Agreement by Business Associate or its employees, subcontractors or agents. Without limitation of the foregoing, Business Associate shall be responsible for all costs and expenses incurred by Covered Entity in notifying individuals, the media, and the Secretary of the Department of Health and Human Services (“HHS”) of a Breach committed or caused by Business Associate.
Covered Entity shall indemnify, defend, and hold harmless Business Associate from and against any and all claims, suits, demands, judgments, losses, costs, fines, penalties, damages, liabilities, and expenses arising from (i) any breach of this Agreement by Covered Entity or its employees or agents; (ii) any failure by Covered Entity to perform its obligations under Section 8 of this Agreement; or (iii) any request by Covered Entity that Business Associate use or disclose PHI in a manner not permitted under the HIPAA Rules.
1.5. Restrictions for Business Associate’s Agents and Subcontractors. Business Associate shall ensure that any of its business associates, agents and subcontractors that create, receive, maintain or transmit PHI for or on behalf of Business Associate in the provision of Services agree in writing to the same restrictions, terms, and conditions relating to PHI that apply to Business Associate in this Agreement, and agree to implement reasonable and appropriate safeguards to protect Electronic Protected Health Information.
1.6. Access to PHI. To the extent that Business Associate has PHI in a designated record set as such term is used in 45 CFR 164.524, Business Associate agrees to provide access, at the request of Covered Entity, and in the time and manner designated by Covered Entity, to such PHI to Covered Entity or, as directed by Covered Entity, to an “Individual” as such term is used in 45 CFR 164.501 and 45 CFR 164.502(g), in order to satisfy Covered Entity’s obligations under 45 CFR 164.524.
1.7. Amendments to PHI. To the extent that Business Associate has PHI in a designated record set, Business Associate agrees to make any amendment(s) to PHI in a designated record set that Covered Entity directs or agrees to pursuant to 45 CFR 164.526 at the request of Covered Entity or an Individual, and in the time and manner reasonably designated by Covered Entity. In the event any Individual requests a correction of PHI directly to Business Associate, Business Associate shall within five (5) days forward such request to Covered Entity.
1.8. Documentation and Accounting of Disclosures. Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR 164.528, and to provide such information to Covered Entity or an Individual, in a time and manner reasonably designated by Covered Entity, to permit Covered Entity to respond to such request. Such accounting shall include, at a minimum, the date of disclosure, a description of the information disclosed, the identity and address of the recipient of the information, and the purpose of the disclosure, or a copy of the request or authorization.
1.9. Access to Business Associate’s Practices, Books, and Records. Business Associate agrees to make internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of Covered Entity, available to Covered Entity, or at the request of Covered Entity to HHS, in a time and manner reasonably designated by Covered Entity or HHS, for purposes of HHS determining Covered Entity’s compliance with the HIPAA Rules.
1.10. Amendment. Upon the enactment of any law or regulation affecting the use or disclosure of PHI, or the publication of any decision of a court of the United States or of the State of Colorado relating to any such law, or the publication of any interpretative policy or opinion of any governmental agency charged with the enforcement of any such law or regulation, including, but not limited to, any changes to HIPAA, the Privacy Rule, the Security Rule, or the Breach Notification Rule, Covered Entity and Business Associate agree to cooperate in good faith to amend this Agreement by mutual written consent to ensure compliance with such law or regulation. To avoid any doubt, any amendment or change to this Agreement must be agreed to by both parties in writing in order to be effective.
1.11. Termination of Agreement. The term of this Agreement shall last until: (a) this Agreement is terminated by either party hereto if the other party fails to cure a material breach hereof by such other party within thirty (30) days of receiving written notice of the same; provided, however, that in the event of a material breach that by its nature cannot be cured (including but not limited to unauthorized mass disclosure of PHI), the non-breaching party may terminate this Agreement immediately upon written notice; (b) mutual agreement of the parties hereto; or (c) termination or expiration of the Terms of Service or agreements between the parties hereto.
1.12. Return or Destruction of PHI when Agreement ends. Within thirty (30) days of expiration or earlier termination of this Agreement, Business Associate shall return or destroy all PHI received from, or created or received on behalf of, Covered Entity that Business Associate still maintains in any form, except to the extent that Business Associate determines, in its reasonable judgment, that such return or destruction is not feasible due to legal, regulatory, or record retention requirements. Business Associate shall identify and notify Covered Entity in writing of the specific PHI it is retaining and the reason(s) return or destruction is not feasible. Any PHI retained by Business Associate shall continue to be subject to the protections of this Agreement for so long as it is maintained, and Business Associate shall limit its use to those purposes that make return or destruction not feasible. This provision shall also apply to PHI in the possession of any subcontractors or agents of Business Associate. Business Associate shall provide a written certification that all PHI that can feasibly be returned or destroyed has been returned or destroyed. For the avoidance of doubt, this Section 1.12 does not require the return or destruction of information that has been de-identified in accordance with Section 1.14; such de-identified information is no longer PHI and is not subject to this Agreement.
1.13. Minimum Necessary. Business Associate will, in its performance of the functions, activities, services, and operations specified above, make reasonable efforts to use, to disclose, and to request only the minimum amount of Protected Health Information reasonably necessary to accomplish the intended purpose of the use, disclosure, or request. Business Associate acknowledges that the phrase “minimum necessary” shall be interpreted in accordance with the HITECH Act and the HIPAA Rules.
1.14. De-Identification. Nothing in this Agreement shall prohibit Business Associate from de-identifying PHI in accordance with 45 CFR 164.514(a)–(c), including the Safe Harbor method that requires removal of the eighteen (18) identifiers set forth in 45 CFR 164.514(b)(2), provided that such de-identification is performed in compliance with the HIPAA Rules. Once PHI has been properly de-identified in accordance with the applicable standard, the resulting information is no longer PHI and is not subject to the restrictions of this Agreement. Business Associate may use, disclose, license, sell, or otherwise commercialize such de-identified information for its own purposes, including but not limited to data analytics, benchmarking, quality improvement, product research and improvement, and the training and improvement of statistical, artificial-intelligence, and machine-learning models. Business Associate’s rights under this Section 1.14 survive termination of this Agreement.
2. Regulatory References. A reference in this Agreement to a section in the Privacy Rule, the Security Rule, or the Breach Notification Rule means the section as in effect on the Effective Date, as it may be amended from time to time, and for which compliance is required.
3. Interpretation. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits Covered Entity to comply with the Privacy Rule, the Security Rule, and the Breach Notification Rule. The terms of the Business Associate Provisions shall supersede any other conflicting or inconsistent terms or provisions in this Agreement. Without limitation of the foregoing, any limitation or exclusion of damages provisions in this Agreement shall not be applicable to the Business Associate Provisions.
4. Choice of Law, Jurisdiction, Venue. This Agreement shall be governed by and construed according to the laws of and subject exclusively to the jurisdiction of the courts of the State of Colorado, and applicable Federal law. Any suit, action or proceeding with respect to or arising out of this Agreement shall be conducted remotely so as to prevent escalation in costs for either Party due to travel.
If a state law applicable to the relationship between Business Associate and Covered Entity contains additional or more stringent requirements than federal law for Business Associate regarding any aspect of PHI privacy, then Business Associate agrees to comply with the higher standard contained in applicable state law. To the extent that Covered Entity is located in a state other than Colorado that imposes requirements on business associates that are more restrictive than HIPAA, the Parties shall comply with the more restrictive requirements of such state’s laws as applicable to the specific Covered Entity. In the event of a conflict between the governing law of this Agreement and the applicable state law of the Covered Entity, the law providing greater protection for PHI shall control.
5. Third-Party Beneficiaries. This Agreement is solely for the benefit of the Parties hereto and shall in no way be construed to entitle any other third party to any compensation or benefit and does not create any other third-party beneficiaries and shall not confer any rights or remedies upon any person or entity other than the Parties, and their respective successors and permitted assigns.
6. Attorneys’ Fees. In any action or dispute, at law or in equity, that may arise under or out of or otherwise relate to this Agreement or the transactions contemplated hereby, the prevailing Party shall recover its legal expenses, including reasonable attorneys’ fees, legal assistants’ fees, costs and expenses, from the non-prevailing Party at all court levels (including bankruptcy proceedings and appeals), in addition to any other relief to which that Party shall be entitled.
7. Independent Contractors. It is expressly agreed that the Parties shall be independent contractors and that the relationship between the Parties shall not constitute a partnership, joint venture, or agency. Neither Party shall have the authority to make any statements, representations or commitments of any kind, or to take any action, which shall be binding on the other Party, without the prior written consent of the other Party.
8. Obligations of Covered Entity
8.1. Covered Entity shall notify Business Associate of any limitation(s) in its notice of privacy practices of Covered Entity in accordance with 45 CFR 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of Protected Health Information.
8.2. Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose Protected Health Information, to the extent that such changes may affect Business Associate’s use or disclosure of Protected Health Information.
8.3. Covered Entity shall notify Business Associate of any restriction to the use or disclosure of Protected Health Information that Covered Entity has agreed to in accordance with 45 CFR 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of Protected Health Information.
8.4. Covered Entity shall not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under the Privacy Rule if done by Covered Entity. Nothing in this paragraph shall restrict the ability of Business Associate to use or disclose PHI as set forth in Section 1.2 herein and in the course of providing Services under the Terms of Service.
8.5. Covered Entity shall cooperate with Business Associate in the investigation of any suspected or confirmed Breach, Security Incident, or unauthorized use or disclosure of PHI, including providing relevant information and access to affected systems in a timely manner.
8.6. Covered Entity shall respond to reasonable requests from Business Associate for information, clarification, or direction within ten (10) business days of receipt of such request, to the extent such response is necessary for Business Associate to fulfill its obligations under this Agreement or the HIPAA Rules.
9. Notices. All notices to be delivered under this Agreement shall be as provided for in the Terms of Service. In addition, notices related to Breach, Security Incident, or other PHI-handling matters under this Agreement may also be sent to [email protected].
Acceptance. This BAA does not require execution by either Party as a standalone document. Acceptance is established as follows:
(a) Covered Entity accepts this BAA by signing an Order Form that references this BAA at https://ascendsolutionsllc.com/ascend-business-associate-agreement and that includes Covered Entity’s confirmation that Covered Entity has read and agrees to this BAA.
(b) Business Associate accepts this BAA by publishing it at the URL above, by accepting the executed Order Form from Covered Entity, and by commencing or continuing to provide Services to Covered Entity. No separate signature by Business Associate on this BAA is required.
The Effective Date of this BAA is the date the Order Form is signed by Covered Entity.