BUSINESS ASSOCIATE AGREEMENT
This BUSINESS ASSOCIATE AGREEMENT (the “Agreement”) is effective between the Client (the “Covered Entity”) on behalf of itself, and its current and future subsidiaries and affiliates, and pingmd, Inc. doing business as pingmd, a Delaware corporation, whose offices are located at 404 5th Avenue, 3rd Floor, New York, NY 10018 (“pingmd”). Covered Entity and pingmd may collectively be referred to as the “Parties,” and individually as a “Party.”
WHEREAS, Covered Entity is a covered entity and pingmd is a business associate as such terms are defined under HIPAA regarding the confidentiality and privacy of Protected Health Information (“PHI”); and
WHEREAS, pingmd has entered or may enter into agreement(s) with Covered Entity (“Service Agreement”) pursuant to which pingmd will render services to, for or on behalf of Covered Entity which may involve pingmd’s use, disclosure or creation of PHI on behalf of Covered Entity; and
WHEREAS, the provisions of this Agreement are specifically intended to meet the business associate contract requirements of the HIPAA privacy standards set forth in Section 45 CFR, Section 164.504 (“Privacy Standards”), and the HIPAA Security Standards for Business Associate Contracts set forth in Section 45 CFR 164.314 (“Security Standards”), and the requirements and guidance issued by United States Department of Health and Human Services (herein, “HHS”) pursuant to the American Recovery and Reinvestment Act of 2009 (42 USC Section 17931(a) et.seq.) (herein, “ARRA”).
NOW THEREFORE, in consideration of the mutual covenants, promises and agreements contained herein, the Parties hereto agree as follows:
Business Associate Provisions
For the purposes of this certain section of the Terms and Conditions, a capitalized term shall have the definition given in the Administrative Simplification subtitle of the Health Insurance Portability and Accountability Act of 1996, as amended, and its implementing regulations (collectively, “HIPAA”), unless otherwise defined in these Terms and Conditions.
(i) “PHI” shall mean “protected health information” as defined at 45 C.F.R. § 160.103, except that it shall be limited to the PHI that pingmd or its agents or subcontractors create, receive, maintain, or transmit on behalf of Covered Entity.
(ii) “Individual” shall have the same meaning as defined at 45 C.F.R. § 160.103, except that it shall also include a personal representative as set forth at 45 C.F.R. § 164.502(g).
(iii) “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information, 45 C.F.R. Part 160 and Part 164, Subparts A and E.
(iv) “Security Rule” shall mean the Security Standards for Protection of Electronic Protected Health Information, 45
C.F.R. Part 160 and Part 164, Subparts A and C.
(b) Permissible Uses and Disclosures . pingmd may Use and Disclose PHI:
(i) to provide the service and as Required By Law including assisting Covered Entity with notifying Individuals about the availability of the Service, except that pingmd may not Use or Disclose PHI in a manner that would violate the Privacy Rule if done by Covered Entity;
(ii) for the proper administration and management of pingmd or to carry out pingmd’s legal responsibilities, subject to the condition that pingmd may only make such Discloses if: (1) Required By Law; or (2) pingmd obtains reasonable assurances from the person to whom the information is Disclosed that the information will remain confidential and Used or further Disclosed only as Required By Law or for the purposes for which it was Disclosed to the person, and the person shall notify pingmd of any instances of which the person is aware in which the confidentiality of the information has been breached;
(iii) to provide Data Aggregation services for Covered Entity; and
(iv) to de-identify PHI in accordance with 45 C.F.R. § 164.514(b), in which case the resulting de-identified health information shall not be subject to these Terms and Conditions.
(c) Obligations of pingmd. pingmd agrees to:
(i) Not Use or Disclose PHI other than as permitted or required by this section of the Terms and Conditions and shall comply with applicable federal and state laws and regulations relating to such information;
(ii) Use appropriate safeguards, and comply with the Security Rule with respect to electronic PHI, to prevent Use or Disclosure of PHI other than as provided for by this section of the Terms and Conditions;
(iii) Report to Covered Entity any Use or Disclosure of PHI not provided for by this section of the Terms and Conditions of which pingmd becomes aware, including Breaches of Unsecured PHI as required at 45 C.F.R. § 164.410;
(iv) Report to Covered Entity any Security Incident of which pingmd becomes aware, except that this Section of the Terms and Conditions shall serve as notice, and no further reporting shall be required, of the regular occurrence of unsuccessful attempts of unauthorized access, Use, Disclosure, modification, or destruction of information or interference with system operations in an information system that do not risk the confidentiality, integrity, or availability of electronic PHI.
(v) In accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of pingmd agree to the same restrictions, conditions, and requirements that apply to pingmd with respect to such information;
(vi) Make available PHI in a Designated Record Set to the Covered Entity, within five (5) days of a request from Covered Entity, as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. § 164.524;
(vii) Make any amendment(s) to PHI in a Designated Record Set, within five (5) days of a request from Covered Entity, as agreed to by the Covered Entity pursuant to 45 C.F.R. § 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. § 164.526;
(viii) Maintain and make available the information required to provide an accounting of Disclosures to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. § 164.528; and
(ix) Forward to Covered Entity within two (2) business days any requests pingmd receives directly from Individuals for access, amendment, or an accounting of Disclosures of PHI, and any denial of such a request shall be the Covered Entity’s sole responsibility.
(d) Access to Books and Records.
pingmd shall permit the Secretary to audit pingmd’s internal practices, books and records at reasonable times as they pertain to the Use and Disclosure of PHI in order to ensure that Covered Entity and pingmd are in compliance with the requirements of HIPAA. Notwithstanding this provision, no attorney-client, accountant-client, or other legal privilege will be deemed waived by pingmd or Covered Entity as a result of this subsection and this subsection shall not require Disclosure of trade secrets or confidential commercial information.
(e) Obligations of Covered Entity. Covered Entity agrees to:
(i) Not request pingmd to Use or Disclose PHI in any manner that violates applicable federal and state laws if such Use or Disclosure were done by Covered Entity;
(ii) Notify pingmd of any limitations on Uses and Disclosures in Covered Entity’s notice of privacy practices that would restrict pingmd’s Use or Disclosure of PHI pursuant to this section of the Terms and Conditions;
(iii) Notify pingmd if Covered Entity agrees to any restrictions or alternative forms of communication under 45 C.F.R.
§ 164.522 that would restrict pingmd’s Use or Disclosure of PHI pursuant to this Section of the Terms and Conditions; and
(iv) Notify pingmd of any other restriction or revocation of permission or authorization by the Individual that would restrict pingmd’s Use or Disclosure of PHI pursuant to this Section of the Terms and Conditions.
(i) Where Covered Entity has knowledge of a material breach of this Agreement by pingmd, Covered Entity shall have the right to terminate these Terms and Conditions and any other agreements between Covered Entity and pingmd immediately, provided that such termination is in accordance with and subject to any rights to cure and payment obligations specified in such agreements. Covered Entity shall not have the right to continue to use the Service after termination.
(ii) Upon termination of this agreement for any reason, pingmd shall:
(1) Retain only that PHI which is necessary for pingmd to continue its proper management and administration or to carry out its legal responsibilities;
(2) Return to Covered Entity or destroy the remaining PHI that pingmd still maintains in any form;
(3) Continue to use appropriate safeguards and comply with the Privacy Rule with respect to electronic PHI to prevent Use or Disclosure of the PHI, other than as provided for in this subsection (f), for as long as pingmd retains the PHI;
(4) Not Use or Disclose the PHI retained by pingmd other than for the purposes for which such PHI was retained and subject to the same conditions set out at subsection (b)(ii) which applied prior to termination; and
(5) Return to Covered Entity or destroy the PHI retained by pingmd when it is no longer needed by pingmd for its proper management and administration or to carry out its legal responsibilities.
pingmd acknowledges that, as between pingmd and Covered Entity, all PHI shall be and remain the sole property of Covered Entity. Covered Entity acknowledges that it shall have no ownership interest in any de-identified health information that pingmd may create pursuant to subsection (b)(iv).
This Agreement shall be governed by and construed in accordance with the laws of the State of New York.