1.1 Pursuant to the Health Insurance Portability and Accountability Act of 1996, as amended ("HIPAA"), you ("Covered Entity") and ZEALLY HEALTH, LLC, a Texas limited liability company, or any of its corporate affiliates ("Business Associate"), enter into this Business Associate Agreement ("BAA") as of the date of the Covered Entity’s creation of an account with the Business Associate (the "Effective Date"), which agreement addresses the HIPAA requirements with respect to "business associates," as defined under the privacy, security, breach notification, and enforcement rules at 45 C.F.R. Part 160 and Part 164 ("HIPAA Rules"). A reference in this BAA to a section in the HIPAA Rules means the section as in effect or as amended.
1.2 This BAA is intended to ensure that Business Associate will establish and implement appropriate safeguards for the Protected Health Information ("PHI") (as defined under the HIPAA Rules) that Business Associate may receive, create, maintain, use, or disclose in connection with the functions, activities, and services that Business Associate performs for Covered Entity. The functions, activities, and services that Business Associate performs for Covered Entity are defined in that certain SaaS Solutions Agreement entered into between the Covered Entity and the Business Associate (the "Underlying Agreement").
1.3 Pursuant to changes required under the Health Information Technology for Economic and Clinical Health Act of 2009 (the "HITECH Act") and under the American Recovery and Reinvestment Act of 2009 ("ARRA"), this BAA also reflects federal breach notification requirements imposed on Business Associate when "Unsecured PHI" (as defined under the HIPAA Rules) is acquired by an unauthorized party, and the expanded privacy and security provisions imposed on business associates.
1.4 Unless the context clearly indicates otherwise, the following terms in this BAA shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, disclosure, Electronic Media, Electronic Protected Health Information (ePHI), Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Required By Law, Secretary, Security Incident, Subcontractor, Unsecured PHI, and use.
1.5 A reference in this BAA to the Privacy Rule means the Privacy Rule, in conformity with the regulations at 45 C.F.R. Parts 160-164 (the "Privacy Rule") as interpreted under applicable regulations and guidance of general application published by the HHS, including all amendments thereto for which compliance is required, as amended by the HITECH Act, ARRA and the HIPAA Rules.
2.1 Business Associate agrees not to use or disclose PHI, other than as permitted or required by this BAA or as Required By Law, or if such use or disclosure does not otherwise cause a Breach of Unsecured PHI.
2.2 Business Associate agrees to use appropriate safeguards, and comply with Subpart C of 45 C.F.R. Part 164 with respect to ePHI, to prevent use or disclosure of PHI other than as provided for by the BAA.
2.3 Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate as a result of a use or disclosure of PHI by Business Associate in violation of this BAA's requirements or that would otherwise cause a Breach of Unsecured PHI.
2.4 The Business Associate agrees to the following breach notification requirements:
2.5 Business Associate agrees, in accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, to require that any Subcontractors that create, receive, maintain, or transmit PHI on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information.
2.6 Business Associate agrees to make available PHI in a Designated Record Set to the individual or the individual’s designee as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. § 164.524.
2.7 Business Associate agrees to make any amendments to PHI in a Designated Record Set as directed or agreed to by the Covered Entity pursuant to 45 C.F.R. § 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. § 164.526.
2.8 Business Associate agrees to maintain and make available the information required to provide an accounting of disclosures to the individual as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. § 164.528.
2.9 Business Associate agrees to make its internal practices, books, and records, including policies and procedures regarding PHI, relating to the use and disclosure of PHI and Breach of any Unsecured PHI received from Covered Entity, or created or received by the Business Associate on behalf of Covered Entity, available to Covered Entity (or the Secretary) for the purpose of Covered Entity or the Secretary determining compliance with the Privacy Rule (as defined in SECTION 8).
2.10 To the extent that Business Associate is to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 C.F.R. Part 164, Business Associate agrees to comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s).
2.11 Business Associate agrees to account for the following disclosures:
2.12 Business Associate agrees to comply with the "Prohibition on Sale of Electronic Health Records or Protected Health Information," as provided in section 13405(d) of Subtitle D (Privacy) of ARRA, and the "Conditions on Certain Contacts as Part of Health Care Operations," as provided in section 13406 of Subtitle D (Privacy) of ARRA and related guidance issued by the Secretary from time to time.
2.13 Business Associate agrees to comply with the use and disclosure requirements of this BAA and any guidance issued by the Secretary from time to time with respect to such use and disclosure requirements.
3.1 General Uses and Disclosures. Business Associate agrees to receive, create, use, or disclose PHI only in a manner that is consistent with this BAA, the Privacy Rule, or Security Rule (as defined in SECTION 5) and only in connection with providing services to Covered Entity; provided that the use or disclosure would not violate the Privacy Rule, including 45 C.F.R. § 164.504(e), if the use or disclosure would be done by Covered Entity. For example, the use and disclosure of PHI will be permitted for "treatment, payment and health care operations," in accordance with the Privacy Rule.
3.2 Business Associate may use or disclose PHI as Required By Law.
3.3 Business Associate agrees to make uses and disclosures and requests for PHI consistent with Covered Entity’s Minimum Necessary policies and procedures.
3.4 Business Associate may not use or disclose PHI in a manner that would violate Subpart E of 45 C.F.R. Part 164 if done by the covered entity.
3.5 Specific Other Uses and Disclosures: Business Associate may utilize de-identified PHI, in accordance with 45 C.F.R. § 164.514(a)-(c) for the purpose of analyzing utilization of telemedicine services offered through Covered Entity’s business.
4.1 Covered Entity shall:
4.2 Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy and Security Rule if done by Covered Entity, except as provided under SECTION 3 of this BAA.
5.1 Business Associate shall comply with the HIPAA Security Rule, which shall mean the Standards for Security of Electronic Protected Health Information at 45 C.F.R. Part 160 and Subparts A and C of Part 164, as amended by ARRA and the HITECH Act. The term "Electronic Health Record" or "EHR" as used in this BAA shall mean an electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff.
5.2 In accordance with the Security Rule, Business Associate agrees to:
6.1 This BAA shall be in effect as of the date of execution of the Underlying Agreement, and shall terminate on the earlier of the date that:
6.2 Upon either party's knowledge of material breach by the other party, the non-breaching party shall provide an opportunity for the breaching party to cure the breach or end the violation; or terminate the BAA. If the breaching party does not cure the breach or end the violation within a reasonable timeframe not to exceed thirty (30) days from the notification of the breach, or if a material term of the BAA has been breached and a cure is not possible, the non-breaching party may terminate this BAA and the Underlying Agreement, upon written notice to the other party.
6.3 Upon termination of this BAA for any reason, Business Associate, with respect to PHI received from Covered Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity, shall:
6.4 The obligations of Business Associate under this Section 6 shall survive the termination of this BAA.
7.1 The parties agree to take such action as is necessary to amend this BAA to comply with the requirements of the Privacy Rule, the Security Rule, HIPAA, ARRA, the HITECH Act, the HIPAA Rules, and any other applicable law.
7.2 The respective rights and obligations of Business Associate and Covered Entity under SECTION 6 of this BAA shall survive the termination of this BAA.
7.3 This BAA shall be interpreted in the following manner:
7.4 This BAA constitutes the entire agreement between the parties related to the subject matter of this BAA, except to the extent that the Underlying Agreement imposes more stringent requirements related to the use and protection of PHI upon Business Associate. This BAA supersedes all prior negotiations, discussions, representations, or proposals, whether oral or written. This BAA may not be modified unless done so in writing and signed by a duly authorized representative of both parties. If any provision of this BAA, or part thereof, is found to be invalid, the remaining provisions shall remain in effect.
7.5 This BAA will be binding on the successors and assigns of the Covered Entity and the Business Associate. However, this BAA may not be assigned, in whole or in part, without the written consent of the other party. Any attempted assignment in violation of this provision shall be null and void.
7.6 This BAA may be executed in two or more counterparts, each of which shall be deemed an original.
7.7 Except to the extent preempted by federal law, this BAA shall be governed by and construed in accordance with the same internal laws as that of the Underlying Agreement.