Preamble and Definitions
This Business Associate Agreement (“BAA”) is made and entered into as of the Effective Date that addresses the HIPAA requirements with respect to “business associates”, by and between Client (“Customer”) and ScriptRx, Inc., d/b/a Bravado Health (“Business Associate”).
Whereas, Customer and Business Associate are likely required to meet the requirements of the Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191 (the “Act”); the privacy standards adopted by the U.S. Department of Health and Human Services (“HHS”) as they may be amended from time to time, 45 C.F.R. parts 160 and 164, subparts A and E (the “Privacy Rule”); the security standards adopted by HHS as they may be amended from time to time, 45 C.F.R. parts 160, 162, and 164, subpart C (the “Security Rule”); and the privacy provisions (Subtitle D) of the Health Information Technology for Economic and Clinical Health Act, Division A, Title XIII of Pub. L. 111-5, and its implementing regulations (the “HITECH Act”); due to their status as a “Business Associate” under the Act. (The Act, the Privacy Rule, the Security Rule, the HITECH Act, are collectively referred to as “HIPAA” for the purposes of this BAA);
Whereas, in order to provide the Services under this BAA, Business Associate may receive, use and maintain certain Protected Health Information (“PHI”) on behalf of Customer, and for purposes of complying with HIPAA, to the extent applicable; and
Whereas, the parties desire to enter into this BAA in order (i) to protect the privacy and provide for the security of PHI received, used and maintained by Business Associate on behalf of Customer; and (ii) to satisfy certain requirements imposed upon the parties by HIPAA, if and to the extent applicable.
Therefore, in consideration of the mutual benefits of complying with laws and regulations stated above, Customer and Business Associate agree as follows:
-
- “Minimum Necessary” means the minimum amount of PHI necessary to accomplish the intended purpose of the use, disclosure or request of PHI under the Services Agreement. Such definition shall be modified herein in accordance with any changes to such phrase as adopted by HHS from time to time.
- Other Terms. All other terms not specifically defined in this BAA shall have the meanings attributed to them under HIPAA.
-
- Permitted Uses and Disclosures.
- Except as otherwise limited in this BAA, Business Associate may receive, use or disclose PHI on behalf of, or to provide services to, Customer pursuant to the Services Agreement, if such receipt, use or disclosure of PHI would not violate HIPAA or the terms of this BAA. Business Associate may use PHI for the proper management and administration of Customer business and/or to provide data aggregation services relating to the health care operations of Customer.
- Notwithstanding the foregoing, Business Associate shall not disclose PHI unless: (i) required by law; or (ii) it obtains commercially reasonable assurances from the person to whom the PHI is disclosed that it will be kept confidential and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person agrees to notify Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached as required under 45 C.F.R. 164.504(e)(4).
- Business Associate shall limit its use, disclosure or request of PHI, to the extent practicable, to a Limited Data Set or, if needed, to the Minimum Necessary amount of PHI needed to accomplish the intended purpose of the use, disclosure or request.
- Safeguards for the Protection of PHI. Business Associate shall use appropriate safeguards to prevent use or disclosure of PHI, other than as provided for in this BAA. Business Associate shall implement and maintain such administrative, physical and technical safeguards required by HIPAA to reasonably and appropriately protect the confidentiality, integrity and availability of electronic PHI that it creates, receives, maintains or transmits on behalf of Customer to provide the Services under the Services Agreement as are applicable to such Services.
- Reporting of Unauthorized Uses or Disclosures of PHI and Breaches of Unsecured PHI.
- Business Associate shall initially report to Customer, within ten (10) calendar days, any use or disclosure of PHI of which Business Associate becomes aware and for which Business Associate is responsible that is not provided for or permitted by this BAA or under HIPAA; provided, however, that such ten (10) calendar day period will automatically be extended an additional ten (10) calendar days, during which time Business Associate will prepare a Breach notification.
- Business Associate shall initially report to Customer any successful security incident (defined below) of which Business Associate becomes aware and for which Business Associate is responsible, not later than ten (10) calendar days after discovery of the successful security incident provided, however, that such ten (10) calendar day period will automatically be extended an additional ten (10) calendar days, during which time Business Associate will prepare a Breach notification. For the purposes of this BAA, a “successful security incident” is the successful, unauthorized access, use, disclosure, modification or destruction of Customer’s PHI.
- Business Associate shall initially notify Customer of a Breach of unsecured PHI within ten (10) calendar days after discovery of such Breach; provided, however, that such ten (10) calendar day period will automatically be extended an additional ten (10) calendar days, during which time Business Associate will prepare a Breach notification, and in accordance with the content requirements of 45 C.F.R. 164.410, if known to Business Associate. The notification shall include the following, to the extent possible: (i) a brief description of the event, including, the date of the Breach and the date of its discovery; (ii) the types of unsecured PHI involved in the Breach (e..g., name, diagnosis, social security number, etc.); and (iii) a brief description of steps taken by Business Associate to investigate, mitigate, and protect against further breaches.
- Business Associate shall have no obligation to correct or mitigate any unauthorized use or disclosure of PHI caused by Customer, except to the extent any such unauthorized use or disclosure of PHI was proximately caused by Business Associate’s material breach of its obligations under this BAA of Business Associate, and the burden of retrieval or destruction of PHI in the event of any such unauthorized use or disclosure shall rest entirely with Customer.
- Customer shall be responsible for notifications made to any third party to whom notification is required including, without limitation, state or federal regulators or affected individuals whose PHI is subject of a notification, etc.
- Use of Subcontractors. To the extent that Business Associate uses one or more subcontractors or agents to perform its obligations under any agreement with Customer, and such subcontractors or agents receive or have access to PHI, Business Associate agrees to obtain written assurances that any such subcontractors or agents agree to the restrictions and conditions which are substantially similar to those that that apply to Business Associate with respect to such PHI under this BAA, including the requirement that subcontractors and agents implement reasonable and appropriate safeguards to protect electronic PHI that is disclosed to subcontractors and agents by Business Associate.
- Authorized Access to PHI. To enable Customer to fulfill its obligations under the Privacy Rule, Business Associate shall make PHI in Designated Record Sets that are maintained by Business Associate or its agents or subcontractors available to Customer for inspection or copying within ten (10) calendar days of a request by Customer, within normal business hours and at Customer’s expense. If an Individual requests inspection or copying of PHI directly from Business Associate or its agents or subcontractors, Business Associate shall notify Customer in writing within ten (10) business days of Business Associate’s receipt of such request, and, if the request is in writing, shall provide Customer with a copy of the request.
- Amendment to PHI. To enable Customer to fulfill its obligations under the Privacy Rule, and to the extent that Business Associate or its agents or subcontractors maintain PHI in a Designated Record Set, Business Associate shall amend such PHI in accordance with Customer’s written request within twenty (20) calendar days of such request by Customer, at Customer’s expense. If an Individual requests amendment of PHI directly from Business Associate or its agents or subcontractors, Business Associate shall notify Customer in writing within ten (10) business days of Business Associate’s receipt of such request, and, if the request is in writing, shall provide Customer with a copy of the request. Business Associate shall not knowingly or intentionally modify any PHI absent the consent of Customer.
- Accounting of Disclosures of PHI. Business Associate shall keep records of all disclosures of PHI made by Business Associate (the “Disclosure Accounting”) on an ongoing basis for six (6) years or for such other period of time as may be specified by HHS, by rule, except for disclosures:
- To carry out Treatment, Payment, or Health Care Operations, as provided in 45 C.F.R. 164.502; provided, however, that, Business Associate shall, to the extent required by the HITECH Act and the accompanying regulations, keep a record of disclosures to carry out Treatment, Payment, or Health Care Operations made via an electronic health record for a period of at least three (3) years; or
- As otherwise excluded, as described at 45 C.F.R. 164.528(i)-(ix), Business Associate shall provide the Disclosure Accounting to Customer (i) no later than thirty (30) days after receipt of written request for such Disclosure Accounting by Customer pursuant to 45 C.F.R. 164.528, or (ii) in accordance with HIPAA.
- Electronic Copies of PHI. To enable Customer to fulfill obligations under Section 13405(e) of the HITECH Act and any regulations that HHS may promulgate thereunder that pertain to an Individual’s request for an electronic copy of his or her PHI that is used or maintained in an Electronic Health Record, to the extent Business Associate uses or maintains PHI in an Electronic Health Record, Business Associate shall provide Customer with a copy of such information in electronic format, at Customer’s expense in a mutually agreed format, within twenty (20) calendar days of a request by Customer.
- Application of Obligations that Require Access to PHI. The obligations of Business Associate hereunder that are derived from the Privacy Rule and from the privacy provisions of Sections 13404, 13405 and 13406 of the HITECH Act and that require access to PHI of the Customer apply to Business Associate only to the extent that Business Associate has access to PHI sufficient to allow it to fulfill such obligations.
- Obligations of Customer.
- Customer shall notify Business Associate of any restriction on the use or disclosure of PHI to which Customer has agreed in accordance with 45 C.F.R. 164.522(a)(1) as well as any restrictions on disclosure with which Customer must comply pursuant to the HITECH Act, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.
- Customer shall notify Business Associate of any limitation(s) in Customer’s notice of privacy practices in accordance with the requirements for such notice set forth in 45 C.F.R. § 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI.
- Customer shall notify Business Associate in writing of any changes in, or revocation of, permission by an Individual to use or disclose such Individual’s PHI to the extent that such change or revocation may affect Business Associate’s use or disclosure of PHI or its ability to perform its obligations under any applicable agreement with Customer or the law. Customer shall also obtain, in writing, any Individual consent, authorization, and other permissions that may be necessary or required by applicable laws in order to transfer or disclose the PHI to Business Associate.
- Customer shall not request that Business Associate use or disclose PHI in any manner that would not be permissible under HIPAA if done by Customer.
- Permitted Uses and Disclosures.
-
- Term. The term of this BAA shall commence as of the Effective Date and shall continue in effect until terminated in accordance with Subsection 3.2.
- Termination.
- This BAA shall terminate automatically upon the termination or expiration of the Services Agreement.
- Upon either party’s knowledge of a breach of a material term of this BAA by the other party, the non-breaching party shall provide the breaching party with written notice of such breach. If such breach is not cured to the reasonable satisfaction of the non-breaching party, within thirty (30) days of the breaching party’s receipt of written notice of the breach, the non-breaching party may terminate this BAA and the Services Agreement. Consent to approval of the cure shall not be unreasonably withheld. If such termination is not administratively feasible, the non-breaching party shall report the problem to the Secretary of HHS.
- Any such termination of this BAA by Business Associate shall be subject to the obligation of Customer to pay all amounts due to Business Associate in the event of termination as described in the Services Agreement, unless subject of a bona fide dispute.
- Upon termination of this BAA for any reason, Business Associate shall, if feasible, return or destroy all PHI or any copies thereof received from Customer that Business Associate or its agents or subcontractors still maintain in any form. At Customer’s request, Business Associate shall certify to Customer that same has been undertaken and completed. If return or destruction is infeasible, Business Associate or its agents or subcontractors shall continue to extend the protections of this BAA to such information, and shall limit further use of such PHI to those purposes that make the return or destruction of such PHI infeasible.
- The obligations of the parties under this Subsection 3.2, the obligations of Business Associate under Subsection 2.1 and the obligations of Customer under Subsection 2.10 shall survive termination of this BAA. All other provisions of this BAA shall survive termination of this BAA to the extent necessary to give effect to such terms.
-
- Applicability. This Agreement shall be applicable to PHI received by Business Associate from Customer or created or received by Business Associate on behalf of Customer.
- Amendments. If any modification to this BAA is required for conformity with any law, regulation, court decision and/or any interpretive guidance or policy, either party shall notify the other of such proposed modification(s) (“Required Modifications”). The parties agree that such Required Modifications shall be mutually agreed to by the parties in writing and will be made in accordance with the Change Order provision of the Services Agreement.
- Non-Performance by Customer.
- Business Associate shall be excused from its failure to perform its responsibilities under the Services Agreement and this BAA if its responsibilities are dependent upon Customer’s performance, and Customer (or its contractor or agent) does not perform its obligations under this BAA.
- In the event that Business Associate is impeded from the provision of its Services as a result of Customer’s failure to perform, Customer shall remain obligated to pay Business Associate for its Services as agreed upon, unless subject of a bona fide dispute.
- Compliance with Other Laws. Business Associate has the right to determine its own compliance with any and all laws applicable to Business Associate. Business Associate shall not be in breach of this BAA if Business Associate refuses to act on a request by Customer that Business Associate reasonably believes violates an applicable law.
- No Third Party Beneficiaries. Nothing express or implied in this BAA is intended to confer, nor shall anything herein confer, upon any person other than Customer, Business Associate and their respective successors or assigns, any rights, remedies, obligations or liabilities whatsoever.
- Conflicts. All terms of the Services Agreement between the parties shall remain in full force and effect, except the terms and conditions of this BAA related to HIPAA override and control any conflicting term or condition of any other agreements which are in place between the parties. All non-conflicting terms and conditions of this BAA and any other agreement between the parties remain in full force and effect.
- Use of PHI Outside United States. Business Associate shall not, without Customer’s prior written approval, provide PHI to any employee or agent, including a subcontractor, if such employee, agent or subcontractor shall receive, possess or otherwise access PHI outside of the United States.
- Construction. This Agreement shall be construed as broadly as necessary to implement and comply with HIPAA. Any ambiguity in this BAA shall be resolved in favor of a meaning that complies with HIPAA.
- Audit Rights. Business Associate shall make its practices, books and records related to PHI available to HHS for the purpose of determining Business Associate’s and Customer’s compliance with this BAA and HIPAA.
- Notices. All notices required to be given to either party under this BAA will be in writing and sent by traceable carrier to each party’s address indicated below, or such other address as a party may indicate by at least fifteen (15) days’ prior written notice to the other party. Notices will be effective upon receipt.
Customer:
(Organization Name)
(Organization Address)Business Associate:
Bravado Health
312 Clematis, Suite 301
West Palm Beach, FL
33401
Attn: Legal DepartmentTelephone: 561-805-5935
Email: info@bravadohealth.com - Counterparts. This Agreement and any exhibits hereto may be executed in one or more counterparts; each counterpart shall be deemed an original.
- Governing Law. This Agreement shall be governed by and interpreted in accordance with the laws of the state of Florida. Jurisdiction and venue for any dispute relating to this BAA shall rest exclusively with the state courts of Florida located in Palm Beach County, Florida.