Business Associate Agreement
Last Updated: August 20, 2021
The Parties are committed to complying with the terms of this Agreement and HIPAA as well as the Department of Health and Human Services (“HHS”) HIPAA Privacy and Security, Social Security Act, and the HIPAA HITECH Standards. In particular, the Parties agree to the following:
- To the limitations on use and disclosure as established under the terms of this Agreement.
- BUSINESS ASSOCIATE hereby agrees to refrain from the use or disclosure of PHI provided or made available other than as expressly permitted or required under this contract.
- BUSINESS ASSOCIATE shall establish and maintain appropriate safeguards to prevent the use or disclosure of PHI and implement and maintain administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of any electronic PHI that BUSINESS ASSOCIATE receives from COVERED ENTITY or that BUSINESS ASSOCIATE creates, receives, maintains or transmits on behalf of COVERED ENTITY.
PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE
COVERED ENTITY acknowledges and agrees that BUSINESS ASSOCIATE may receive, use and disclose PHI as necessary to perform its obligations under the TOU including but not limited to:
- Using the PHI in its possession for the proper management and administration of its business, for data aggregate purposes and to fulfill any present or future legal responsibilities of the BUSINESS ASSOCIATE provided that such uses are permitted under state and federal confidentiality laws.
- Disclosing the PHI in its possession to third parties for the purpose of its proper management and administration or to fulfill any present or future legal responsibilities of the BUSINESS ASSOCIATE, including reporting violations of law to appropriate Federal and State authorities, provided that such disclosures are required by law, or (ii) the BUSINESS ASSOCIATE has received from the third party written assurances regarding its confidential handling of such PHI as required under 45 C.F.R. § 164.504(e)(4) and § 164.314, and the third party notifies the BUSINESS ASSOCIATE of any instances of which it is aware in which the confidentiality of the information has been breached.
All other uses not authorized by this Agreement are prohibited. Moreover, BUSINESS ASSOCIATE may disclose PHI for the purposes authorized by this Agreement only: (i) to its employees, subcontractors and agents, r (ii) as otherwise permitted by or as required by HIPAA.
REPORTS OF IMPROPER USE OR DISCLOSURE
BUSINESS ASSOCIATE hereby agrees to immediately report to COVERED ENTITY any and all breaches or improper uses or disclosures aside from those permitted in this Agreement or by the Health Insurance Portability and Accountability Act (HIPAA).
SAFEGUARDS TO PREVENT IMPROPER DISCLOSURES
BUSINESS ASSOCIATE agrees to use appropriate safeguards to prevent use or disclosure of the Protected Health Information in any manner other than as provided for by this Agreement and as required by the Health Insurance Portability and Accountability Act. Upon request, BUSINESS ASSOCIATE shall allow COVERED ENTITY to review such safeguards and security measures and procedures.
BUSINESS ASSOCIATE agrees to mitigate, to the maximum extent practicable, any harmful effect that is known to Business Associate from use or disclosure of information in a manner contrary to terms of this Agreement or according to the Health Insurance Portability and Accountability Act.
SUBCONTRACTORS AND AGENTS EMPLOYED BY BUSINESS ASSOCIATE
BUSINESS ASSOCIATE hereby agrees that any and all PHI provided or made available to its subcontractors or agents shall be executed under same terms, conditions, and restrictions on use and disclosure of PHI as agreed upon in this contract between COVERED ENTITY and BUSINESS ASSOCIATE.
BUSINESS ASSOCIATE agrees to develop/implement a punitive course of action for its employees, subcontractors, or agents who violate terms of this contract or privacy regulations under the Health Insurance Portability and Accountability Act.
RIGHT TO ACCESS BY THE FEDERAL GOVERNMENT’S DEPARTMENT OF HEALTH AND HUMAN SERVICES
BUSINESS ASSOCIATE hereby agrees to make its internal practices (including policies and procedures), books, and records relating to use or disclosure of PHI gained or received under terms of this Agreement available to the Secretary of the Department of Health and Human Services or the Secretary's designee for purpose of determining compliance with Privacy and Security standards under the Health Insurance Portability and Accountability Act.
RIGHTS OF INDIVIDUALS TO ACCESS INFORMATION
BUSINESS ASSOCIATE hereby agrees to make available and provide individuals the right to inspect and receive a copy of their PHI in accordance with 45 CFR § 164.524.
BUSINESS ASSOCIATE agrees to cooperate in making PHI available to individuals for amendment and agrees to document explicit modifications by the individual in accordance with 45 CFR § 164.526.
BUSINESS ASSOCIATE agrees to provide an account of PHI disclosures to an individual in accordance with 45 CFR §. 164.528.
If BUSINESS ASSOCIATE conducts any HIPAA Standard Transaction for or on behalf of COVERED ENTITY, Business Associate shall comply in accordance with 45 CFR § 162.
Shared information, including de-identified PHI, shall be and remains property of COVERED ENTITY. BUSINESS ASSOCIATE agrees that it acquires no title or rights to an individual’s PHI as a result of this Agreement.
RESPONSIBILITIES OF COVERED ENTITIES
COVERED ENTITY hereby agrees:
- To inform the BUSINESS ASSOCIATE of any limitations in the form of notice of privacy practices that COVERED ENTITY provides to individuals pursuant to 45 C.F.R. §164.520, to the extent that such limitation may affect BUSINESS ASSOCIATE’s se or disclosure of PHI.
- To inform the BUSINESS ASSOCIATE of any changes in, or revocation of, the permission by an individual to use or disclose PHI, to the extent that such limitation may affect BUSINESS ASSOCIATE’s use or disclosure of PHI.
- To notify the BUSINESS ASSOCIATE, in writing and in a timely manner, of any restriction on the use or disclosure of PHI that COVERED ENTITY has agreed to or is required to abide by under 45 CFR 164.522, to the extent that such restriction may impact in any manner the use and/or disclosure of PHI by the BUSINESS ASSOCIATE under this Agreement.
- Covered Entity will not request BUSINESS ASSOCIATE to use or disclose PHI in any manner that would not be permissible under HIPAA and any other applicable law if done by the COVERED ENTITY
TERM AND TERMINATION
The Term of this Agreement shall commence on the effective date of the Services Agreement and shall automatically terminate on the termination date of the Services Agreement or on the date COVERED ENTITY terminates this Agreement for cause as authorized below under TERMINATION FOR CAUSE.
TERMINATION FOR CAUSE
BUSINESS ASSOCIATE agrees that COVERED ENTITY has the right to immediately terminate this Agreement and seek relief under Disputes Article if COVERED ENTITY determines that BUSINESS ASSOCIATE has violated a material term of this Agreement and Business Associate has not cured the breach or ended the violation within the time specified by COVERED ENTITY. For greater certainty, Non-compliance by BUSINESS ASSOCIATE (or any of its subcontractors or agents) with any terms of this Agreement or the Health Insurance Portability and Accountability Act will automatically be considered grounds for breach.
RETURN OR DESTRUCTION OF INFORMATION
Upon termination of this Agreement for any reason, BUSINESS ASSOCIATE hereby agrees to return or destroy all PHI received or created on behalf of COVERED ENTITY. BUSINESS ASSOCIATE agrees not to retain any copies of PHI after termination of this Agreement. If return or destruction of the PHI is not feasible, BUSINESS ASSOCIATE agrees to extend protections outlined in this Agreement and agrees to limit all further use or disclosure and agrees to provide COVERED ENTITY with written confirmation that the PHI has been destroyed.
The respective rights and obligations of BUSINESS ASSOCIATE and COVERED ENTITY under this Agreement shall survive termination of this Agreement.
COMPLIANCE WITH STATE LAW
BUSINESS ASSOCIATE acknowledges that by accepting PHI from COVERED ENTITY, it becomes a holder of medical records information under the state Privacy laws and is subject to the provisions of that law. If the HIPAA Privacy or Security Rules and the state Privacy law conflict regarding the degree of protection provided for PHI, Business Associate shall comply with the more restrictive protection requirement.
Notwithstanding any rights or remedies provided for in this contract, COVERED ENTITY retains all rights to seek injunctive relief to prevent or stop unauthorized use or disclosure of PHI by BUSINESS ASSOCIATE or any agent, contractor, or third party that received PHI from BUSINESS ASSOCIATE.
Parties agree to exercise good faith in performance of this contract.
Each party shall indemnify the other party and hold it harmless from and against any penalties, losses, claims, damages or liabilities (or actions in respect thereof) to which it may become subject insofar as such penalties, losses, claims, damages or liabilities (or actions in respect thereof) arise out of or are based upon any unauthorized use or disclosure of Protected Health Information by the indemnifying party
Any controversy or claim arising from or relating to the terms defined under this contract are subject to settlement by compulsory arbitration in accordance with the Commercial Arbitration Rules of the American Arbitration Association, except for injunctive relief.
Each party agrees to bear its own legal expenses and any other cost incurred for actions or proceedings brought about by enforcement of this contract, or from an alleged dispute, breach, default, misrepresentation, or injunctive action associated with the provisions of this contract.
Neither party has the authority to reassign this Agreement without the other’s written consent.
The terms of this Agreement consist of this document and constitute the entire agreement between the stated parties in relation to the subject matter hereof.
Any notices to be given hereunder to a Party shall be made as described in the TOU agreement to such Party’s address given below:
If to Business Associate, to:
600 Matheson Blvd. W.,
Mississauga, ON, L5R 4B8
If to COVERED ENTITY, to:
The current address associated with COVERED ENTITY’s account under the Services Agreement, where applicable.
Both Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for them to comply with the requirements of the Health Insurance Portability and Accountability Act and any other applicable law.
Any ambiguity in this Agreement shall be resolved to permit COVERED ENTITY and BUSINESS ASSOCIATE to comply with the Health Insurance Portability and Accountability Act.