BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement (“Agreement”) is made between you (“Covered Entity”) and Matrix Analytics, Inc., a Delaware corporation (“Business Associate”). Covered Entity and Business Associate are each referred to in this Agreement as a “party,” and collectively, the “parties.” This Agreement shall be effective as of the date of execution of that certain Systems License and Support Agreement governing the use by Covered Entity of Business Associate’s platform and services.
A. Business Associate creates, receives, maintains, or transmits protected health information, including electronic protected health information and/or unsecured health information, as those terms are defined in 45 C.F.R. Section 160.103, 45 C.F.R. Section 164.402 and 42 U.S.C. Section 17932(h), on behalf of Covered Entity.
B. The purpose of this Agreement is to satisfy the standards and requirements of the Health Insurance Portability and Accountability Act (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act (the “HITECH” Act), as may be amended from time to time (collectively referred to as “the HIPAA Rules”). This Agreement shall supplement and/or amend each of the underlying agreements entered into between the parties to allow the parties to comply with the HIPAA Rules (“Underlying Agreements”).
NOW THEREFORE, in consideration of the mutual covenants set forth in this Agreement, and other good and valuable consideration, the sufficiency and receipt of which are hereby severally acknowledged, the parties agree as follows:
- Definitions. All capitalized terms used but not otherwise defined in this Agreement shall have the same meaning as those terms are defined in the HIPAA Rules.
a. “Breach” shall have the same meaning as the term “breach” in 45 C.F.R. Section 164.402 and 42 U.S.C. Section 17921(1). The date of breach shall be determined as set forth in 45 C.F.R. Section 164.410.
b. “Electronic Protected Health Information” or “ePHI” shall have the same meaning as the term “electronic protected health information” in 45 C.F.R. Section 160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity.
c. “Individual” shall have the same meaning that the term has in 45 C.F.R. Section 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. Section 164.502(g).
d. “HIPAA Rules” shall mean the privacy, security, breach notification, and enforcement rules at 45 C.F.R. Part 160 and Part 164.
e. “Protected Health Information” or “PHI” shall have the same meaning as the term “protected health information” in 45 C.F.R. Section 160.103, and is limited to the information created or received by Business Associate from or on behalf of Covered Entity. PHI shall be inclusive of ePHI and uPHI.
f. Required by law” shall have the same meaning as the term “required by law” in 45 C.F.R. Section 164.501.
g. “Secretary” shall mean the Secretary of the Department of Health and Human Services or his/her designee.
h. “Security Incident” means the attempted or successful unauthorized access, use, disclosure, modification or destruction of information or interference with system operations in an information system.
i. “Unsecured Protected Health Information” or “uPHI” shall have the same meaning as the term “unsecured protected health information” in 45 C.F.R. Section 164.402 and 42 U.S.C. Section 17932(h) and is limited to the information created or received by Business Associate from or on behalf of Covered Entity.
- Business Associate Permitted Uses and Disclosures
a. Business Associate provides services (“Services”) for or on behalf of the Covered Entity that involve (i) the use and disclosure of PHI or (ii) access, maintenance, retention, modification, storage, or destruction of PHI.
b. Business Associate may use or disclose PHI only as authorized in any Underlying Agreement or to perform functions, activities, or services for, or on behalf, of the Covered Entity as specified in this Agreement and any Underlying Agreement in effect between Covered Entity and Business Associate. All uses of PHI not authorized by this Agreement and any Underlying Agreement are prohibited.
c. Business Associate may not engage in any use or disclosure of PHI that would violate the HIPAA Rules if done by the Covered Entity, except for the specific uses and disclosures set forth below:
i. Business Associate may use PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate.
ii. Business Associate may disclose PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of the Business Associate, provided the disclosures are required by law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person and that the person will notify Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
- Responsibilities of the Business Associate.
a. Business Associate shall use appropriate safeguards to maintain the privacy and security of PHI, and prevent unauthorized use and/or disclosure of PHI in violation of this Agreement.
b. Business Associate shall report to the designated privacy officer of the Covered Entity, in writing, any use or disclosure of PHI not provided for in this Agreement, including Security Incidents and Breaches of uPHI, of which Business Associate becomes aware. Business Associate shall provide such notice without unreasonable delay, but in any event no later than five (5) business days of the Business Associate’s discovery of such Security Incident or Breach. In addition, such written notice shall include (i) a brief description of what happened, including the date of the breach and the date of the discovery of the Security Incident or Breach, if known, (ii) the scope of the Security Incident or Breach, including the types of uPHI involved such as full name, social security number, date of birth, home address, account number, billing code, disability code, or other types of similar information, (iii) the identification of each individual whose uPHI has been, or is reasonably believed by Business Associate to have been accessed, acquired, or disclosed during such Security Incident or Breach, including first and last name, mailing address, street address, phone number, email address, if known, (iv) the identification of the party responsible for causing the Security Incident or Breach, including first and last name, mailing address, street address, phone number, email address, if known, (v) the steps individuals should take to protect themselves from potential harm resulting from the Security Incident or Breach, (vi) a brief description of what the Business Associate is doing to investigate the Security Incident or Breach, mitigate losses and protect against any further Security Incidents or Breaches, and (vii) contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free number, an e-mail address, web site, or postal address.
c. Business Associate shall require all of its agents, including subcontractors, that receive, use, or have access to, PHI under this Agreement to agree, in writing, to adhere to the same restrictions and conditions on the use and/or disclosure of PHI that apply to the Business Associate through this Agreement.
d. Business Associate shall make available PHI in accordance with the requirements of 45 C.F.R. 164.524 in the time and manner reasonably designated by Covered Entity.
e. Business Associate shall make available PHI for amendment and incorporate any amendments to PHI in accordance with 45 C.F.R. 164.526 in the time and manner reasonably designated by the Covered Entity.
f. Business Associate shall make available information related to such disclosures as would be required for the Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. 164.528
g. Business Associate shall make available all records, books, agreements, internal practices, policies and procedures and PHI received by the Business Associate on behalf of the Covered Entity available to the Secretary and the Covered Entity for purposes of determining the Covered Entity’s compliance with the HIPAA Rules and the terms of this Agreement.
h. Business Associate shall, when using or disclosing PHI or when requesting PHI from the Covered Entity, limit the request, disclosure and use of PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request
i. Business Associate shall implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of any PHI that it creates, receives, maintains or transmits to or on behalf of Covered Entity and shall ensure that any agent, including a subcontractor, to whom it provides such information, agrees to implement reasonable and appropriate safeguards to protect such information. Business Associate shall document and keep current such security measures in written policies, procedures or guidelines and make its policies, procedures, and any documentation required by this Agreement, HIPAA, and HITECH relating to such safeguards available to Covered Entity and to the Secretary of the Department of Health and Human Services (“HHS”) for the purposes of determining Covered Entity’s compliance with the Security Regulations
j. Business Associate shall mitigate, to the extent reasonably practicable, any harmful effects known to the Business Associate of any improper use and/or disclosure of PHI by the Business Associate in violation of the requirements of this Agreement.
k. Business Associate shall use commercially reasonable efforts to ensure that the technology safeguards used by Business Associate to secure PHI will render such PHI unusable, unreadable and indecipherable to individuals unauthorized to acquire or otherwise have access to such PHI in accordance with HHS Guidance published at 74 Fed. Reg. 19006 (April 17, 2009), or such later regulations or guidance promulgated by HHS or issued by the National Institute for Standards and Technology (“NIST”) concerning the protection of identifiable data such as PHI
- Business Associate Representations and Warranties.
a. Business Associate represents and warrants to the Covered Entity that all of its employees, agents, representatives, subcontractors, and members of its workforce, whose services may be used to fulfill obligations under this Agreement are or shall be appropriately informed of the terms of this Agreement and their legal obligations, by contract or otherwise, sufficient to enable the Business Associate to fully comply with all provisions of this Agreement.
b. Business Associate represents and warrants to the Covered Entity that Business Associate (i) is not currently excluded, debarred, or otherwise ineligible to participate in any federal health care program as defined in 42 U.S.C. Section 1320a-7b(f) (“the Federal Healthcare Programs”); (ii) has not been convicted of a criminal offense related to the provision of health care items or services and not yet been excluded, debarred, or otherwise declared ineligible to participate in the Federal Healthcare Programs, and (iii) is not under investigation or otherwise aware of any circumstances which may result in Business Associate being excluded from participation in the Federal Healthcare Programs. This shall be an ongoing representation and warranty during the term of this Agreement, and Business Associate shall immediately notify Covered Entity of any change in the status of the representations and warranty set forth in this section.
- Additional HITECH Act and State Law Requirements
a. Business Associate shall comply with the requirements of the HITECH Act (42 U.S.C. §§17921-17954) which are applicable to Business Associates and comply with all regulations issued by HHS to implement HITECH as of the date by which Business Associates are required to comply with HITECH and the related regulations. Such requirements are hereby incorporated by reference into this Agreement.
b. Business Associate agrees to implement reasonable systems for the discovery and prompt reporting of any Breach of PHI that if misused, disclosed, lost or stolen, Covered Entity believes would trigger an obligation under state data breach notification laws to notify the individuals who are the subject of a breach, as defined by state law. Business Associate agrees that in the event any PHI is lost, stolen, used or disclosed in violation of one or more state data breach notification laws, Business Associate shall promptly: (i) cooperate and assist Covered Entity with any investigation into any state breach or alleged state breach conducted by any state Attorney General or State Consumer Affairs Department (or their respective agents), (ii) assist with the mitigation, to the extent practicable, of any potential harm to the individual(s) impacted and (iii) assist with the implementation of notification to individual(s) impacted or potentially impacted by a state breach.
- Responsibilities of Covered Entity
a. Covered Entity must notify Business Associate of any limitation(s) in Covered Entity’s notice of privacy practices in accordance with 45 CFR 164.520 to the extent that such limitation may affect Business Associate’s use or disclosure of PHI.
b. Covered Entity must notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose PHI, to the extent that such changes may affect Business Associate’s use or disclosure of PHI.
c. Covered Entity must notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.
d. Covered Entity must not request Business Associate to Use or Disclose PHI in any manner that would not be permissible under HIPAA if done by Covered Entity.
- Term and Termination
a. Term. This Agreement shall be in effect as of the Effective Date and shall continue until the earlier of the following: (1) all of the Underlying Agreements have expired or been terminated; or (2) this Agreement has been terminated.
b. Termination by Covered Entity. Covered Entity may terminate this Agreement upon thirty (30) days advance written notice to Business Associate in the event Business Associate breaches this Agreement or any Underlying Agreement in any material respect and such breach is not cured to the reasonable satisfaction of Covered Entity within such thirty (30) day period. Failure to take reasonable steps to cure the breach is grounds for the immediate termination of this Agreement.
c. Termination by Business Associate. If Business Associate determines that Covered Entity has breached a material term of this Agreement, Business Associate shall notify Covered Entity and provide Covered Entity an opportunity to cure the alleged material breach upon mutually agreeable terms. Failure of Covered Entity to take reasonable steps to cure the breach is grounds for the immediate termination of this Agreement.
d. Effect of Termination. In the event of termination of this Agreement for any reason, Business Associate agrees to return or destroy all PHI in its possession pursuant to 45 C.F.R. Section 164.504(e)(2)(ii)(I) if it is feasible to do so. If it is not feasible for the Business Associate to return or destroy the PHI, the Business Associate will notify the Covered Entity in writing. The written notification shall include: (i) a statement that the Business Associate has determined that it is infeasible to return or destroy the PHI in its possession, and (ii) the specific reasons for such determination. Upon mutual agreement of the parties that return or destruction of PHI is infeasible, Business Associate agrees to extend any and all protections, limitations and restrictions contained in this Agreement to the Business Associate’s use and/or disclosure of any PHI retained after the termination of this Agreement, and to limit any further uses and/or disclosures to the purposes that make the return or destruction of the PHI infeasible. The Business Associate must require all subcontractors and agents to agree to extend any and all protections, limitations and restrictions contained in this Agreement to the subcontractors’ and/or agents’ use and/or disclosure of any PHI retained after the termination of this Agreement, and to limit any further uses and/or disclosures to the purposes that make the return or destruction of the PHI infeasible. This provision will survive the termination of this Agreement.
a. Ownership of PHI. Covered Entity shall retain all rights of ownership in the PHI.
b. Independent Contractor. The parties hereto shall be independent contractors and neither shall at any time be considered an agent or employee of the other. No joint venture, partnership, or like relationship is created between the parties by this Agreement or the Underlying Agreements.
c. Injunctive Relief. Business Associate agrees that Covered Entity would suffer irreparable harm if Business Associate were to breach, or threaten to breach, any provision of this Agreement and that the Covered Entity would by reason of such breach, or threatened breach, be entitled to injunctive relief in a court of appropriate jurisdiction, without the need to post any bond. Business Associate further consents and stipulates to the entry of such injunctive relief in such a court prohibiting Business Associate from breaching this Agreement. This section shall not, however, diminish the right of Covered Entity to claim and recover damages and other appropriate relief.
d. Regulatory References. A reference in this Agreement to a section in the HIPAA Rules means the section as in effect on the effective date of the Agreement.
e. Amendment. If the HIPAA Rules are amended in a manner that would alter the obligations of Business Associate as set forth in this Agreement, then the parties agree to take such action as is necessary in good faith to amend this Agreement to comply with the HIPAA Rules. All amendments shall be mutually agreed to by the parties in writing.
f. Survival. The respective rights and obligations of the parties under this Section 8 shall survive the termination of this Agreement.g. Interpretation. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits compliance with the HIPAA Rules. The terms of this Agreement shall prevail in the case of any conflict with the terms of any Underlying Agreement to the extent necessary to allow the parties to comply with the HIPAA Rules.
h. Third Party Beneficiaries. This Agreement is entered into by and between the parties hereto and for their benefit. There is no intent by either party to create or establish a third-party beneficiary status or rights in any third party to this Agreement.
i. Representation by Counsel. Each party acknowledges that it has had the opportunity to be represented by counsel of such party’s choice with respect to this Agreement. In view of the foregoing and notwithstanding any otherwise applicable principles of construction or interpretation, this Agreement shall be deemed to have been drafted jointly by the parties and in the event of any ambiguity, shall not be construed or interpreted against the drafting party.
j. Governing Law. This Agreement shall be governed and construed in accordance with the laws of the State of Colorado and the federal laws referenced herein, without reference to or reliance upon state rules regarding conflicts of laws. Any disputes arising hereunder shall be subject to the exclusive jurisdiction of the state and federal courts residing in the City and County of Denver.
k. Notices. Any notice, approval, request, authorization, direction or other communication under this Agreement will be given in writing and will be deemed to have been delivered and given for all purposes (a) on the delivery date if delivered by confirmed facsimile; (b) on the delivery date if delivered personally to the party to whom the same is directed; (c) one business day after deposit with a commercial overnight carrier, with written verification of receipt; or (d) five business days after the mailing date, if sent by U.S. mail, return receipt requested, postage and charges prepaid, or any other means of rapid mail delivery for which a receipt is available. The contact information below the parties signatures shall be each party’s notice address unless otherwise updated in writing to the other party.