Office Ally Business Associate Agreement

I. Definitions

• Catch-all Definitions. The following capitalized terms used in this Agreement shall have the same meaning as those terms in the HIPAA Rules: “Breach,” “Business Associate,” “Covered Entity,” “Data Aggregation,” “Designated Record Set,” “Data Use Agreement,” “Disclose” or “Disclosure,” “Health Care Clearinghouse,” “Health Care Operations,” “Minimum Necessary,” “Notice of Privacy Practices,” “Public Health Authority,” “Required By Law,” “Research,” “Secretary,” “Security Incident,” “Subcontractor,” “Unsecured Protected Health Information,” and “Use.”
  

• “Discovery” shall mean the first day on which a Breach is known to Business Associate (including any person, other than the individual committing the Breach, that is an employee, officer, or other agent of Business Associate), or should reasonably have been known to Business Associate, to have occurred.
  

• “HIPAA” or “Health Insurance Portability and Accountability Act of 1996” is Public Law 104-191, as codified at 42U.S.C. §§ 1320d to 1320d-9and amended, under which the Privacy and Security Rules were promulgated.
  

• “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules in 45 CFR Part 160 and 164.
  

• “HITECH Act” or “Health Information Technology for Economic and Clinical Health Act” are those provisions set forth in Title XIII of Public Law 111-5as enacted on February 17, 2009.
  

• “Individual” shall have the same meaning as the term “individual” in 45 CFR §160.103, and shall include a person who qualifies as a personal representative in accordance with 45 CFR § 164.502(g).
  

• “Privacy Rule” is the regulation entitled “Standards for Privacy of Individually Identifiable Health Information,” promulgated under HIPAA and/or the HITECH Act and codified at 45 CFR Part 160 and 164,Subparts A and E.
  

• “Protected Health Information”(“PHI”) and “Electronic Protected Health Information”(“ePHI”) shall have the meaning given to such terms in 45 CFR § 160.103,limited to the information created, received, maintained, or transmitted by Business Associate from, or for or on behalf of, Covered Entity.
  

• “Security Rule” is the regulation entitled “Security Standards for the Protection of Electronic Protected Health Information,” promulgated under HIPAA and/or the HITECH Act and codified at 45 CFR, Part 160and 164, Subparts A and C.
  

II. Obligations Of Business Associate

• Limitation(s) on Uses and Disclosures. Business Associate agrees to not Use or Disclose PHI other than as permitted or required by this Agreement, theUnderlying Agreements, or as Required by Law.
  

• Permitted Uses and Disclosures. Business Associate may Use and Disclose PHI created or received pursuant to the Underlying Agreements as follows:
  

  • To carry out the purposes of the Underlying Agreements. Business Associate may Use and Disclose PHI to perform its obligations pursuant to the Underlying Agreements, provided that such Use or Disclosure would not violate the Privacy Rule if done by Covered Entity.
    

  • Use for Management and Administration. Business Associate may Use PHI if such Use is necessary (i) for the proper management and administration of Business Associate or (ii) to carry out the legal responsibilities of Business Associate.
    

  • Disclosure for Management and Administration. Business Associate may Disclose PHI for the proper management and administration of Business Associate if (i) the Disclosure is Required by Law or (ii) Business Associate (a) obtains reasonable assurances from the third party to whom the PHI is Disclosed that such PHI will be held confidentially and Used or further Disclosed only as Required by Law, or for the purpose for which it was Disclosed to the third party and (b) the third party agrees to notify Business Associate of any instances of which it becomes aware in which the confidentiality and security of the PHI has been breached.
    

  • Data Aggregation Services. Business Associate may Use PHI to provide Data Aggregation services relating to the Health Care Operations of Covered Entity.
    

  • De-Identification of PHI. Business Associate may Use PHI to create de-identified information in accordance with 45 CFR § 164.514(b).
    

  • Treatment, Payment, and Health Care Operations of Other Covered Entities. Business Associate may Use and Disclose PHI for the treatment, payment, and health care operations of other covered entities, subject to the limitations in 45 CFR § 164.506(c), the Minimum Necessary requirements, where applicable, and other applicable restrictions of federal and state laws and regulations.
    

  • Public Health. Business Associate may Use and Disclose PHI for public health purposes in accordance with the requirements of 45 CFR §§ 164.512(b) and 164.514(e) and other applicable restrictions of federal and state laws and regulations.
    

  • Health Oversight. Business Associate may Disclose PHI to a health oversight agency for oversight activities authorized by law in accordance with the requirements of 45 CFR § 164.512(d) and other applicable restrictions of federal and state laws and regulations.
    

  • Disclosures for Judicial and Administrative Proceedings and for Law Enforcement Purposes. Business Associate may Disclose PHI in response to an order of a court or administrative tribunal, court-ordered warrant, subpoena, discovery request, or other lawful process, in accordance with the requirements of 45 CFR § 164.512(a), (e), and(f) and other applicable restrictions of federal and state laws and regulations.
    

  • Limited Data Set. Upon Covered Entity’s request, Business Associate may Use PHI to create Limited Data Set(s) in accordance with 45 CFR § 164.514(e), and may Use or Disclose such Limited Data Sets for Health Care Operations, Research, or public health purposes pursuant to a Data Use Agreement and in accordance with 45 CFR§ 164.514(e) and other applicable restrictions of federal and state laws and regulations.
    

  • Authorization. Business Associate may Use and Disclose PHI as authorized by an Individual using an authorization that complies with the requirements of 45 CFR § 164.508.
    

• Safeguards. Business Associate shall use appropriate safeguards to prevent Use or Disclosure of PHI other than as provided for by this Agreement.
  

• Security Rule. With respect to ePHI, Business Associate shall comply with theapplicable requirements of the Security Rule.
  

• Reporting of Impermissible Uses and Disclosures, Security Incidents, and Breaches. Business Associate agrees to report to Covered Entity any Use or Disclosure of PHI not provided for by this Agreement or any Security Incident of which Business Associate becomes aware, except that this section shall hereby serve as notice, and no additional reporting shall be required, of the regular occurrence of unsuccessful attempts at unauthorized access, Use, Disclosure, modification, or destruction of ePHI or interference with system operations in an information system containing ePHI. After Discovery of an impermissible Use, Disclosure or Security Incident, Business Associate shall report such incident to the Covered Entity without unreasonable delay and in no event more than thirty (30) days following Business Associate’s Discovery of the incident. In the event that such Use or Disclosure or Security Incident constitutes a Breach of Unsecured Protected Health Information, such notice shall include the identity of each Individual whose Unsecured PHI has been or is reasonably believed by Business Associate to have been accessed, acquired, Used, or Disclosed in connection with such Breach and any additional information set forth at 45 CFR § 164.410,to the extent available. In addition, Business Associate shall provide any additional information reasonably requested by Covered Entity for the purpose of investigating and responding to the Breach.
  

• Mitigation. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that becomes known to Business Associate as a result of a Breach, or Use or Disclosure of PHI, by Business Associate in violation of the requirements of this Agreement.
  

• Use of Subcontractors. Business Associate shall require any Subcontractors that create, receive, maintain, or transmit PHI on behalf of the Business Associate to agree to the same or more stringent restrictions, conditions, and requirements that apply to the Business Associate with respect to such PHI, including compliance with the applicable requirements of the Security Rule.
  

• Availability of Information to Covered Entity. Within five (5) business days of receipt of a request from Covered Entity, Business Associate shall make available to Covered Entity PHI that Business Associate maintains in a Designated Record Set as necessary to allow Covered Entity to satisfy its obligations under 45 CFR § 164.524. If an Individual requests such information directly from Business Associate, Business Associate must so notify Covered Entity in writing within five (5) business days. Business Associate shall not give the Individual access to the information unless access is approved by Covered Entity in its discretion.
  

• Amendment of PHI. Within five (5) business days of receipt of a request from Covered Entity, Business Associate shall make Covered Entity’s PHI that Business Associate maintains in a Designated Record Set available to Covered Entity so that Covered Entity may fulfill its obligations to amend such PHI pursuant to the Privacy Rule, including but not limited to 45 CFR §164.526. If an Individual requests that Business Associate amend the Individual’s PHI, Business Associate must so notify Covered Entity in writing within five (5) business days and the Covered Entity may, in its discretion, determine whether to amend the PHI.
  

• Accounting of Disclosures of PHI. Within five (5) business days of receipt of a request from Covered Entity, Business Associate shall make available to Covered Entity a list of Disclosures of PHI as required for Covered Entity to fulfill its obligations to provide an accounting of Disclosures pursuant to the Privacy Rule, including but not limited to 45 CFR § 164.528. Business Associate shall implement a process that allows for such an accounting. If an Individual requests such an accounting directly from Business Associate, Business Associate must so notify Covered Entity in writing within five (5) business days.
  

• Availability of Books and Records. Business Associate shall make its internal practices, books and records relating to the Use and Disclosure of PHI created or received pursuant to this Agreement available to the Secretary of HHS for the purpose of determining Covered Entity’s compliance with the Privacy and Security Rules as set forth in 45 CFR § 160.310.
  

• Minimum Necessary Amount of PHI. Business Associate acknowledges that it shall make reasonable efforts to request from Covered Entity, Use, and Disclose to its affiliates and Subcontractors, or other authorized third parties, only the Minimum Necessary amount of PHI to accomplish the intended purpose of such requests, Uses, or Disclosures.
  

• Standard Transactions. If Business Associate conducts any Standard Transactions on behalf of Covered Entity, Business Associate shall comply with the applicable requirements of 45 CFR Parts 160 and162.
  

• Data Ownership. Business Associate acknowledges that Covered Entity is the owner of all the PHI created, received, maintained, or transmitted from, for or on behalf of the Covered Entity by Business Associate.
  

• Privacy Rule Obligations. To the extent Business Associate is to carry out any of Covered Entity’s obligations under the Privacy Rule, Business Associate shall comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of such obligations. Furthermore, any specific listing of duties or functions to be performed by Business Associate for Covered Entity involving Covered Entity’s PHI that is contained in a separate contract (or addendum thereto) between the Parties is hereby incorporated by reference into this Agreement for the sole purpose of further elaborating duties and functions that Business Associate is contractually undertaking on behalf of the Covered Entity.
  

III. Obligations Of Covered Entity

• Notice of Privacy Practices. Upon request of Business Associate, Covered Entity shall provide Business Associate with the Notices of Privacy Practices that Covered Entity produces in accordance with 45 CFR § 164.520.
  

• Revocation of Authorization. Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by an Individual to Use or Disclose Protected Health Information, to the extent that such changes could reasonably be expected to affect Business Associate’s Use or Disclosure of PHI.
  

• Restrictions. Covered Entity shall notify Business Associate of any restriction to the Use or Disclosure of PHI to which Covered Entity has agreed in accordance with 45 CFR § 164.522, to the extent that such restriction may reasonably be expected to affect Business Associate’s Use or Disclosure of PHI. Covered Entity also shall notify Business Associate of the termination of any such restriction.
  

• Requests to Use or Disclose PHI. Covered Entity shall not request or cause Business Associate to Use or Disclose PHI in any manner that would not be permissible under the Privacy Rule if done by Covered Entity or that is not otherwise expressly permitted under Section (II)(b) hereof.
  

IV. Term And Termination

• Term. The Term of this Agreement shall be effective as of the Effective Date and shall terminate when: (i) all of the PHI provided by Covered Entity to Business Associate or created or received by Business Associate on behalf of Covered Entity is returned to Covered Entity or destroyed (and a certificate of destruction is provided) or, if such return or destruction is infeasible, when protections are extended to such information pursuant to paragraph (c)(ii) of this section; or (ii) upon the expiration or termination of the last of the Underlying Agreements.
  

• Termination for Cause. Upon Covered Entity’s knowledge of a material Breach by Business Associate, Covered Entity shall either:
  

  • Provide an opportunity for Business Associate to cure the Breach or end the violation, and terminate this Agreement and any Underlying Agreements if Business Associate does not cure the Breach or end the violation within the time specified by Covered Entity;
    

  • Immediately terminate this Agreement and any Underlying Agreements if Business Associate has breached a material term of this Agreement, and a cure is not possible.
    

• Effect of Termination
  

  • Except as provided in paragraph(c)(ii) of this section, upon termination of this Agreement for any reason, Business Associate shall return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of the Covered Entity. Business Associate shall make reasonable efforts to apply and enforce this provision with respect to PHI that is in the possession of Subcontractors of Business Associate. Business Associate shall retain no copies of the PHI except as Required by Law.
    

  • In the event that Business Associate determines that returning or destroying the PHI is infeasible, Business Associate shall extend the protections of this Agreement to such PHI, and limit further Uses and Disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI.
    

V. Indemnification And Limitation Of Liability

Business Associate shall indemnify and hold harmless the Covered Entity and its officers, trustees, employees, and agents from any and all third-party claims, penalties, fines, costs, liabilities or damages, including but not limited to reasonable attorneys’ fees, incurred by the Covered Entity arising from a violation by Business Associate of its obligations under this Agreement.
‍
NOTWITHSTANDING THE FOREGOING OR ANY OTHER PROVISION IN THIS AGREEMENT TO THE CONTRARY, EXCEPT FOR CLAIMS OF VIOLATION OF LAW, THE TOTAL AMOUNT BY WHICH BUSINESS ASSOCIATE AGREES TO INDEMNIFY THE COVERED ENTITY HEREUNDER SHALL NOT EXCEED THE FEES (AS DEFINED IN THE UNDERLYING AGREEMENTS) PAID TO BUSINESS ASSOCIATE BY CUSTOMER PURSUANT TO THE UNDERLYING AGREEMENTS FOR THE SIX (6) MONTH PERIOD IMMEDIATELY PRECEDING THE DATE OF THE ACCRUAL OF THE CLAIM; PROVIDED, HOWEVER, FINES AND PENALTIES ASSESSED BY THE FEDERAL GOVERNMENT AGAINST THE COVERED ENTITY FOR VIOLATIONS OF FEDERAL LAW AND REGULATIONS CAUSED SOLELY BY BUSINESS ASSOCIATE’S BREACH WILL NOT BE SUBJECT TO THE FOREGOING LIMITATION OF LIABILITY.

NOTWITHSTANDING ANYTHING TO THE CONTRARY CONTAINED IN THE UNDERLYIN GAGREEMENTS OR THIS AGREEMENT, EXCEPT FOR CLAIMS OF VIOLATION OF LAW, IN NOEVENT SHALL EITHER PARTY BE LIABLE TO THE OTHER FOR LOST PROFITS OR REVENUE OR FOR INCIDENTAL, CONSEQUENTIAL, PUNITIVE, COVER, SPECIAL, RELIANCE OR EXEMPLARY DAMAGES, OR INDIRECT DAMAGES OF ANY TYPE OR KIND HOWEVER CAUSED, WHETHER FROM BREACH OF WARRANTY, BREACH OR REPUDIATION OF CONTRACT, NEGLIGENCE, GROSS NEGLIGENCE, WILLFUL MISCONDUCT OR ANY OTHER LEGAL CAUSE OF ACTION FROM OR IN CONNECTION WITH THE UNDERLYING AGREEMENTS OR THIS AGREEMENT (AND WHETHER OR NOT THE PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES) TO THE MAXIMUM EXTENT PERMITTED BY LAW.

VI. No Third-Party Beneficiaries

Nothing expressed or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than Covered Entity, Business Associate, and their respective successors and assigns, any rights, remedies, obligations, or liabilities whatsoever.

VII. Change In Applicable Laws Or Regulations

In the event the laws or regulations of the United States or the State in which the majority of services furnished pursuant to the Underlying Agreements are rendered are modified or amended in any material way with respect to this Agreement, this Agreement shall not be terminated but rather, to the extent feasible, shall be promptly amended by the Parties so that they may operate in compliance with the existing law. To the extent any amendments to this Agreement shall be necessary to effectuate or clarify the obligations of the Parties pursuant to such changes to the HIPAA Rules, the Parties hereby agree to negotiate such amendments in good faith, subject to the right of either Party to terminate this Agreement in accordance with its terms.

VIII. Modification

This Agreement may only be modified in a written document signed by theParties and, thus, no oral modification hereof shall be permitted.

IX. Interpretation

Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits Covered Entity and Business Associate to comply with HIPAA, the HITECH Act, and the HIPAA Rules.

X. Miscellaneous

Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits Covered Entity and Business Associate to comply with HIPAA, the HITECH Act, and the HIPAA Rules.

• A reference in this Agreement to a section in the Privacy Rule means the section as in effect or amended.
  

• Nothing in this Agreement is intended to create an agency relationship between the Parties.
  

• Any notice required under this Agreement to be given to Business Associate shall be by email to Compliance@OfficeAlly.com. All notices to Covered Entity shall be by email to the email address on the Covered Entity’s Admin Account at the time the notice is to be sent.