BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement (the “BAA”) is entered into by and between ___________________, and MessagePro, Inc. effective as of _____ __ 20__.
WHEREAS, Covered Entity is a provider of medical services.
WHEREAS, Business Associate (MessagePro, Inc.) is a provider of hosted software services.
WHEREAS, Business Associate has been retained by the Covered Entity to perform a function or activity on behalf of the Covered Entity that requires that the Business Associate have access to Protected Health Information (PHI).
WHEREAS, Covered Entity desires to receive satisfactory assurances from the Business Associate that it will comply with the obligations required of business associates by the HIPAA Privacy and Security Rules.
WHEREAS, the parties wish to set forth their understandings with regard to the use and disclosure of PHI by the Business Associate in performance of its obligations.
NOW, THEREFORE, in consideration of the mutual promises set forth below, the parties hereby agree as follows:
Terms used, but not otherwise defined, in this BAA shall have the same meaning as those terms in the HIPAA Privacy, Security, Breach Notification and Enforcement Rules at 45 CFR Part 160 and 164.
USE AND DISCLOSURE OF PHI
Covered Entity hereby grants Business Associate permission to use, disclose, and request from third parties PHI on behalf of Covered Entity in connection with the provision of services to be provided by MessagePro, Inc.. Additionally, Covered Entity grants Business Associated permission to access and utilize PHI to:
Allow Business Associate to properly manage and administer the Business Associate's organization or to carry out the legal responsibilities of the Business Associate.
Perform functions, activities, or services for, or on behalf of, Covered Entity as specified above, except as otherwise limited by this BAA or if such use or disclosure would violate the HIPAA Privacy or Security Rules if done by the Covered Entity.
C. OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE
- Use and Disclosure of PHI. Business Associate shall not use or further disclose PHI other than as permitted by this BAA or as required by law. To the extent practicable, Business Associate shall limit its use or disclosure of PHI or requests for PHI to a limited data set, or if necessary, to the minimum necessary to accomplish the intended purpose of such use, disclosure or request.
- Safeguards. Business Associate shall use appropriate safeguards to prevent the use or disclosure of PHI other than pursuant to the terms and conditions of this BAA, including establishing procedures that limit access to PHI within its organization to those employees with a need to know the information. Business Associate agrees that it will implement appropriate administrative, physical and technical safeguards to protect the confidentiality, integrity and availability of electronic PHI that it creates, receives, maintains or transmits on behalf of the Covered Entity, as required by the HIPAA Security Rule.
Business Associate acknowledges that the requirements of 45 C.F.R. Sections 164.308, 164.310 and 164.312 applicable to such administrative, physical and technical safeguards apply to Business Associate in the same manner that such sections apply to Covered Entity. Further, Business Associate shall implement, and maintain in written form, reasonable and appropriate policies and procedures to comply with the standards, implementation specifications or other requirements of the HIPAA Security Rule, in accordance with 45 C.F.R. Section 164.316, which applies to Business Associate in the same manner that such section applies to Covered Entity.
- Unauthorized Disclosures of PHI. Business Associate shall, within ten (10) business days of becoming aware of a disclosure of PHI in violation of this BAA by Business Associate, its officers, directors, employees, contractors, or agents or by a third party to which Business Associate disclosed PHI (including a subcontractor), report to Covered Entity any such disclosure. Business Associate agrees to mitigate, to the extent practicable, any harmful effect of the unauthorized disclosure.
This section shall also apply to any breach of unsecured PHI, as defined by the applicable regulations. Notice of any such breach shall include the identification of any individual whose unsecured PHI has been, or is reasonably believed by Business Associate, to have been accessed, acquired or disclosed during such breach and any other information required by the applicable regulations.
- Security Incidents. Business Associate shall promptly report to Covered Entity any Security Incident of which it becomes aware, in accordance with the HIPAA Security Rule.
- Agreements With Third Parties. Business Associate agrees to ensure that any agents and subcontractors that create, receive, maintain or transmit PHI on behalf of Business Associate with respect to Business Associate’s relationship with Covered Entity agree to the same restrictions and conditions that apply to Business Associate with respect to such information.
- Access to Information. Within ten (10) business days of a request by the Covered Entity for access to PHI about an individual contained in a Designated Record Set, Business Associate shall make available to the Covered Entity such PHI for so long as such information is maintained in a Designated Record Set and in accordance with the requirements of 45 C.F.R. Section 164.524. In the event any individual requests access to PHI directly from the Business Associate, Business Associate shall respond to the request for PHI within ten (10) business days. Any denials of access to the PHI requested shall be the responsibility of the Business Associate.
- Availability of PHI for Amendment. Business Associate agrees to make any amendments to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 CFR Section 164.526 at the request of the Covered Entity or an individual, and in the time and manner designated by Covered Entity.
- Inspection of Books and Records. Business Associate agrees to make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of Covered Entity, available to the Covered Entity, or at the request of the Covered Entity, to the Secretary of the U.S. Department of Health and Human Services or its designee (the “Secretary”), in a time and manner designated by the Covered Entity or the Secretary, for purposes of the Secretary determining Covered Entity's compliance with HIPAA.
- Accounting of Disclosures. Business Associate agrees to maintain and make available to the Covered Entity an accounting of disclosures of PHI as would be required for Covered Entity to respond to a request by an individual made in accordance with 45 CFR Section 164.528. Business Associate shall provide an accounting of disclosures made during the six (6) years prior to the date on which the accounting is requested (or during the three (3) years prior to the date the accounting is requested for PHI maintained in an electronic health record, beginning on the applicable effective date pursuant to the American Recovery and Reinvestment Act of 2009). At a minimum, the accounting of disclosures shall include the following information:
Date of disclosure,
b. The name of the person or entity who received the PHI, and if known, the address of such entity or person,
A brief description of the PHI disclosed, and
A brief statement of the purpose of such disclosure which includes an explanation of the basis of such disclosure.
In the event the request for an accounting is delivered directly to the Business Associate, the Business Associate shall respond to the request within ten (10) business days. Any denials of a request for an accounting shall be the responsibility of the Business Associate. Business Associate agrees to implement an appropriate recordkeeping process to enable it to comply with the requirements of this section.
Remuneration in Exchange for PHI. Effective Sept. 23, 2013, the effective date of the final HIPAA regulations pursuant to the American Recovery and Reinvestment Act of 2009, and subject to the transition provision of 45 CFR Section 164.532 regarding prior data use agreements, Business Associate shall not directly or indirectly receive remuneration in exchange for any PHI without a valid authorization permitting such remuneration, except as permitted by law.
D. OBLIGATIONS OF COVERED ENTITY
Covered Entity shall comply with each applicable requirement of the HIPAA Privacy and Security Rules.
Covered Entity shall provide Business Associate with the notice of privacy practices that Covered Entity produces in accordance with 45 CFR Section 164.520, as well as any changes to such notice.
Covered Entity shall provide Business Associate with any changes in, or revocation of, permission by individual to use or disclose PHI, if such changes affect Business Associate's permitted or required uses and disclosures.
Covered Entity shall notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR Section 164.522.
E. PERMISSIBLE REQUESTS BY COVERED ENTITY
Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA if done by the Covered Entity.
- Term. The term of this BAA shall begin on the Effective Date and shall remain in effect until terminated under Section F(2) of this BAA.
- Termination. This BAA shall be terminated only as follows:
Termination for Cause by Covered Entity
This BAA may be terminated by the Covered Entity upon fifteen (15) business days written notice to the Business Associate in the event that the Business Associate breaches any provision contained in Paragraph C of this BAA and such breach is not cured within such fifteen (15) day period.
Termination for Cause by Business Associate
This BAA may be terminated by the Business Associate upon fifteen (15) business days written notice to the Covered Entity in the event that the Covered Entity breaches any provision contained in Paragraphs D or E of this BAA and such breach is not cured within such fifteen (15) day period..
Termination Due To Change in Law
Either party may terminate this BAA effective upon thirty (30) days advance written notice to the other party in the event that the terminating party has sought amendment of this BAA pursuant to Paragraph G(1) and no amendment has been agreed upon.
Termination Without Cause
Either may terminate this BAA effective upon ninety (90) days advance written notice to the other party given with or without any reason.
- Return or Destruction of PHI
Upon termination of this BAA, Business Associate shall return or destroy all PHI received from Covered Entity, or created, maintained or received by Business Associate on behalf of Covered Entity that the Business Associate maintains in any form. Business Associate shall retain no copies of the PHI.
Notwithstanding the above, to the extent that the Business Associate determines that it is not feasible to return or destroy such PHI, the terms and provisions of Paragraphs A, B, C and D shall survive termination of this BAA and such PHI shall be used or disclosed solely for such purpose or purposes which prevented the return or destruction of such PHI. When the PHI is no longer needed by the Business Associate, the Business associate shall return the PHI to Covered Entity or shall destroy it.
G. GENERAL PROVISIONS
- Amendment. This BAA may be amended only by the mutual written agreement of the parties. The parties agree to take such action to amend this BAA from time to time as is necessary for the Covered Entity or Business Associate to comply with the requirements of HIPAA.
2. Indemnification. Business Associate shall release, indemnify and hold Covered Entity harmless from and against any claims, fees, and costs, including, without limitation, reasonable attorneys’ fees and costs, which are related to Business Associate's failure to perform its obligations under this BAA. Covered Entity shall release, indemnify and hold Business Associate harmless from and against any claims, fees, and costs, including without limitation, reasonable attorneys' fees and costs, which are related to Covered Entity's alleged improper use or disclosure of PHI or other breach of this BAA.
- Remedies. The parties acknowledge that breach of Paragraphs B, C, D or E of this BAA may cause irreparable harm for which there is no adequate remedy at law. In the event of a breach, or if either party has actual notice of an intended breach, such party shall be entitled to a remedy of specific performance and/or injunction enjoining the other party from violating or further violating this BAA. The parties agree the election of the party to seek injunctive relief and or specific performance of this BAA does not foreclose or have any effect on any right such party may have to recover damages.
- Survival. Business Associate's obligation to limit its use and disclosure of PHI as set out in Paragraph C survive the termination of this BAA so long as Business Associate has PHI received during the performance of its services as described in this BAA.
- Governing Law. This BAA shall be construed and enforced in accordance with the laws of the State of Florida.
- Assigns. Neither this BAA nor any of the rights, benefits, duties, or obligations provided herein may be assigned by any party to this BAA without the prior written consent of the other party.
- Third Party Beneficiaries. Nothing in this BAA shall be deemed to create any rights or remedies in any third party.
- Interpretation. Any ambiguity in this BAA shall be resolved in favor of a meaning that permits the Covered Entity and/or Business Associate, as applicable, to comply with HIPAA.
- Notices. Any notice given under this BAA must be in writing and delivered via first class mail, via reputable overnight courier service, or in person to the parties' respective addresses as first written above or to such other address as the parties may from time to time designate in writing.
IN WITNESS WHEREOF, the undersigned have executed this BAA.
“COVERED ENTITY” “BUSINESS ASSOCIATE”
Signed: ______________________________ Signed: _______________________________
Name: _______________________________ Name: ________________________________
Title: ________________________________ Title: _________________________________
Address: _____________________________ Address: _205 S Hoover Blvd, Suite 203_____
_____________________________ _Tampa, FL 33609_______________
Date: ________________________________ Date: _________________________________