Office Ally Business Associate Agreement

I. Definitions

• Catch-all Definitions. The following capitalized terms used in this Agreement shall have the same meaning as those terms in the HIPAA Rules: “Breach,” “Business Associate,” “Covered Entity,” “Data Aggregation,” “Designated Record Set,” “Data Use Agreement,” “Disclose” or “Disclosure,” “Health Care Clearinghouse,” “Health Care Operations,” “Minimum Necessary,” “Notice of Privacy Practices,” “Public Health Authority,” “Required By Law,” “Research,” “Secretary,” “Security Incident,” “Subcontractor,” “Unsecured Protected Health Information,” and “Use.”
  

• “Discovery” shall mean the first day on which a Breach is known to Business Associate (including any person, other than the individual committing the Breach, that is an employee, officer, or other agent of Business Associate), or should reasonably have been known to Business Associate, to have occurred.
  

• “HIPAA” or “Health Insurance Portability and Accountability Act of 1996” is Public Law 104-191, as codified at 42U.S.C. §§ 1320d to 1320d-9 and amended, under which the Privacy and Security Rules were promulgated.
  

• “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules in 45 CFR Part 160 and 164.
  

• “HITECH Act” or “Health Information Technology for Economic and Clinical Health Act” are those provisions set forth in Title XIII of Public Law 111-5as enacted on February 17, 2009.
  

• “Individual” shall have the same meaning as the term “individual” in 45 CFR §160.103, and shall include a person who qualifies as a personal representative in accordance with 45 CFR § 164.502(g).
  

• “Privacy Rule” is the regulation entitled “Standards for Privacy of Individually Identifiable Health Information,” promulgated under HIPAA and/or the HITECH Act and codified at 45 CFR Part 160 and 164,Subparts A and E.
  

• “Protected Health Information”(“PHI”) and “Electronic Protected Health Information”(“ePHI”) shall have the meaning given to such terms in 45 CFR § 160.103, limited to the information created, received, maintained, or transmitted by Business Associate from, or for or on behalf of, Covered Entity.
  

• “Security Rule” is the regulation entitled “Security Standards for the Protection of Electronic Protected Health Information,” promulgated under HIPAA and/or the HITECH Act and codified at 45 CFR, Part 160and 164, Subparts A and C.
  

II. Obligations Of Business Associate

• Limitation(s) on Uses and Disclosures. Business Associate agrees to not Use or Disclose PHI other than as permitted or required by this Agreement, theUnderlying Agreements, or as Required by Law.
  

• Permitted Uses and Disclosures. Business Associate may Use and Disclose PHI created or received pursuant to the Underlying Agreements as follows:
  

  • To carry out the purposes of the Underlying Agreements. Business Associate may Use and Disclose PHI to perform its obligations pursuant to the Underlying Agreements, provided that such Use or Disclosure would not violate the Privacy Rule if done by Covered Entity.
    

  • Use for Management and Administration. Business Associate may Use PHI if such Use is necessary (i) for the proper management and administration of Business Associate or (ii) to carry out the legal responsibilities of Business Associate.
    

  • Disclosure for Management and Administration. Business Associate may Disclose PHI for the proper management and administration of Business Associate if (i) the Disclosure is Required by Law or (ii) Business Associate (a) obtains reasonable assurances from the third party to whom the PHI is Disclosed that such PHI will be held confidentially and Used or further Disclosed only as Required by Law, or for the purpose for which it was Disclosed to the third party and (b) the third party agrees to notify Business Associate of any instances of which it becomes aware in which the confidentiality and security of the PHI has been breached.
    

  • Data Aggregation Services. Business Associate may Use PHI to provide Data Aggregation services relating to the Health Care Operations of Covered Entity.
    

  • De-Identification of PHI. Business Associate may Use PHI to create de-identified information in accordance with 45 CFR § 164.514(b).
    

  • Treatment, Payment, and Health Care Operations of Other Covered Entities. Business Associate may Use and Disclose PHI for the treatment, payment, and health care operations of other covered entities, subject to the limitations in 45 CFR § 164.506(c), the Minimum Necessary requirements, where applicable, and other applicable restrictions of federal and state laws and regulations.
    

  • Public Health. Business Associate may Use and Disclose PHI for public health purposes in accordance with the requirements of 45 CFR §§ 164.512(b) and 164.514(e) and other applicable restrictions of federal and state laws and regulations.
    

  • Health Oversight. Business Associate may Disclose PHI to a health oversight agency for oversight activities authorized by law in accordance with the requirements of 45 CFR § 164.512(d) and other applicable restrictions of federal and state laws and regulations.
    

  • Disclosures for Judicial and Administrative Proceedings and for Law Enforcement Purposes. Business Associate may Disclose PHI in response to an order of a court or administrative tribunal, court-ordered warrant, subpoena, discovery request, or other lawful process, in accordance with the requirements of 45 CFR § 164.512(a), (e), and(f) and other applicable restrictions of federal and state laws and regulations.
    

  • Limited Data Set. Upon Covered Entity’s request, Business Associate may Use PHI to create Limited Data Set(s) in accordance with 45 CFR § 164.514(e), and may Use or Disclose such Limited Data Sets for Health Care Operations, Research, or public health purposes pursuant to a Data Use Agreement and in accordance with 45 CFR§ 164.514(e) and other applicable restrictions of federal and state laws and regulations.
    

  • Authorization. Business Associate may Use and Disclose PHI as authorized by an Individual using an authorization that complies with the requirements of 45 CFR § 164.508.
    

• Safeguards. Business Associate shall use appropriate safeguards to prevent Use or Disclosure of PHI other than as provided for by this Agreement.
  

• Security Rule. With respect to ePHI, Business Associate shall comply with the applicable requirements of the Security Rule.
  

• Reporting of Impermissible Uses and Disclosures, Security Incidents, and Breaches. Business Associate agrees to report to Covered Entity any Use or Disclosure of PHI not provided for by this Agreement or any Security Incident of which Business Associate becomes aware, except that this section shall hereby serve as notice, and no additional reporting shall be required, of the regular occurrence of unsuccessful attempts at unauthorized access, Use, Disclosure, modification, or destruction of ePHI or interference with system operations in an information system containing ePHI. After Discovery of an impermissible Use, Disclosure or Security Incident, Business Associate shall report such incident to the Covered Entity without unreasonable delay and in no event more than thirty (30) days following Business Associate’s Discovery of the incident. In the event that such Use or Disclosure or Security Incident constitutes a Breach of Unsecured Protected Health Information, such notice shall include the identity of each Individual whose Unsecured PHI has been or is reasonably believed by Business Associate to have been accessed, acquired, Used, or Disclosed in connection with such Breach and any additional information set forth at 45 CFR § 164.410,to the extent available. In addition, Business Associate shall provide any additional information reasonably requested by Covered Entity for the purpose of investigating and responding to the Breach.
  

• Mitigation. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that becomes known to Business Associate as a result of a Breach, or Use or Disclosure of PHI, by Business Associate in violation of the requirements of this Agreement.
  

• Use of Subcontractors. Business Associate shall require any Subcontractors that create, receive, maintain, or transmit PHI on behalf of the Business Associate to agree to the same or more stringent restrictions, conditions, and requirements that apply to the Business Associate with respect to such PHI, including compliance with the applicable requirements of the Security Rule.
  

• Availability of Information to Covered Entity. Within five (5) business days of receipt of a request from Covered Entity, Business Associate shall make available to Covered Entity PHI that Business Associate maintains in a Designated Record Set as necessary to allow Covered Entity to satisfy its obligations under 45 CFR § 164.524. If an Individual requests such information directly from Business Associate, Business Associate must so notify Covered Entity in writing within five (5) business days. Business Associate shall not give the Individual access to the information unless access is approved by Covered Entity in its discretion.
  

• Amendment of PHI. Within five (5) business days of receipt of a request from Covered Entity, Business Associate shall make Covered Entity’s PHI that Business Associate maintains in a Designated Record Set available to Covered Entity so that Covered Entity may fulfill its obligations to amend such PHI pursuant to the Privacy Rule, including but not limited to 45 CFR §164.526. If an Individual requests that Business Associate amend the Individual’s PHI, Business Associate must so notify Covered Entity in writing within five (5) business days and the Covered Entity may, in its discretion, determine whether to amend the PHI.
  

• Accounting of Disclosures of PHI. Within five (5) business days of receipt of a request from Covered Entity, Business Associate shall make available to Covered Entity a list of Disclosures of PHI as required for Covered Entity to fulfill its obligations to provide an accounting of Disclosures pursuant to the Privacy Rule, including but not limited to 45 CFR § 164.528. Business Associate shall implement a process that allows for such an accounting. If an Individual requests such an accounting directly from Business Associate, Business Associate must so notify Covered Entity in writing within five (5) business days.
  

• Availability of Books and Records. Business Associate shall make its internal practices, books and records relating to the Use and Disclosure of PHI created or received pursuant to this Agreement available to the Secretary of HHS for the purpose of determining Covered Entity’s compliance with the Privacy and Security Rules as set forth in 45 CFR § 160.310.
  

• Minimum Necessary Amount of PHI. Business Associate acknowledges that it shall make reasonable efforts to request from Covered Entity, Use, and Disclose to its affiliates and Subcontractors, or other authorized third parties, only the Minimum Necessary amount of PHI to accomplish the intended purpose of such requests, Uses, or Disclosures.
  

• Standard Transactions. If Business Associate conducts any Standard Transactions on behalf of Covered Entity, Business Associate shall comply with the applicable requirements of 45 CFR Parts 160 and162.
  

• Data Ownership. Business Associate acknowledges that Covered Entity is the owner of all the PHI created, received, maintained, or transmitted from, for or on behalf of the Covered Entity by Business Associate.
  

• Privacy Rule Obligations. To the extent Business Associate is to carry out any of Covered Entity’s obligations under the Privacy Rule, Business Associate shall comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of such obligations. Furthermore, any specific listing of duties or functions to be performed by Business Associate for Covered Entity involving Covered Entity’s PHI that is contained in a separate contract (or addendum thereto) between the Parties is hereby incorporated by reference into this Agreement for the sole purpose of further elaborating duties and functions that Business Associate is contractually undertaking on behalf of the Covered Entity.
  

III. Obligations Of Covered Entity

• Notice of Privacy Practices. Upon request of Business Associate, Covered Entity shall provide Business Associate with the Notices of Privacy Practices that Covered Entity produces in accordance with 45 CFR § 164.520.
  

• Revocation of Authorization. Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by an Individual to Use or Disclose Protected Health Information, to the extent that such changes could reasonably be expected to affect Business Associate’s Use or Disclosure of PHI.
  

• Restrictions. Covered Entity shall notify Business Associate of any restriction to the Use or Disclosure of PHI to which Covered Entity has agreed in accordance with 45 CFR § 164.522, to the extent that such restriction may reasonably be expected to affect Business Associate’s Use or Disclosure of PHI. Covered Entity also shall notify Business Associate of the termination of any such restriction.
  

• Requests to Use or Disclose PHI. Covered Entity shall not request or cause Business Associate to Use or Disclose PHI in any manner that would not be permissible under the Privacy Rule if done by Covered Entity or that is not otherwise expressly permitted under Section (II)(b) hereof.
  

IV. Mutual Obligations Regarding Confidential Information

• Definition of Confidential Information. “Confidential Information” means all information, other than PHI, that is disclosed by a Party (“Disclosing Party”) to the other Party (“Receiving Party”), whether orally, electronically, or in writing, that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure. Confidential Information includes, but is not limited to, pricing, business and marketing plans, technology and technical information and reports, product plans and designs, and business processes disclosed by a Party. For avoidance of doubt, Confidential Information does not include PHI, the permitted uses and disclosures of which are governed by the provisions of this Agreement other than this “Mutual Obligations Regarding Confidential Information” section.  Confidential Information also does not include any information that: (a) is or becomes generally known to the public without breach of any obligation owed to the Disclosing Party; (b) was known to the Receiving Party prior to its disclosure by the Disclosing Party without breach of any obligation owed to the Disclosing Party; (c) is received from a third party without breach of any obligation owed to the Disclosing Party; or(d) was independently developed by the Receiving Party. Upon the request of a Party, the other Party agrees to destroy any documents prepared by the requesting Party using Confidential Information of the other Party or derived therefrom, and the other Party agrees to provide confirmation of such destruction inwriting.

• Protection of Confidential Information. The Receiving Party will use the same degree of care that it uses to protect the confidentiality of its own Confidential Information of like kind (but not less than reasonable care).The Receiving Party will not use any Confidential Information of the Disclosing Party for any purpose outside the scope of this Agreement or the Underlying Agreements, and except as otherwise authorized by the Disclosing Party inwriting, will limit access to Confidential Information of the Disclosing Party to those of its and its affiliates’ employees and contractors who need that access for purposes consistent with this Agreement or the Underlying Agreements and who have signed confidentiality agreements with the Receiving Party containing protections not materially less protective of the Confidential Information than those herein. Neither Party will disclose the terms of this Agreement or any Underlying Agreement to any third party other than its affiliates, legal counsel and accountants without the other Party’s prior written consent, provided that a Party that makes any such disclosure to its affiliate, legal counsel or accountants will remain responsible for such affiliate’s, legal counsel’s or accountant’s compliance with this “Mutual Obligations Regarding Confidential Information” section.
  

• Compelled Disclosure. The Receiving Party may disclose Confidential Information of the Disclosing Party to the extent compelled by law to do so, provided that the Receiving Party gives the Disclosing Party prior notice of the compelled disclosure (to the extent legally permitted) and reasonable assistance, at the Disclosing Party's cost, if the Disclosing Party wishes to contest the disclosure, and the Receiving Party limits the release of the Confidential Information to the greatest extent possible under the circumstances. If the Receiving Party is compelled by law to disclose the Disclosing Party’s Confidential Information as part of a civil proceeding to which the Disclosing Party is a party, and the Disclosing Party is not contesting the disclosure, the Disclosing Party will reimburse the Receiving Party for its reasonable cost of compiling and providing secure access to that Confidential Information.
  

• Remedies.  If the Receiving Party has disclosed, or is threatening to disclose, any Confidential Information in breach of this Agreement, the Disclosing Party is entitled to seek an injunction or other equitable relief to prevent the Receiving Party from disclosing Confidential Information.  The Disclosing Party is not prohibited by this provision from pursuing other remedies, including a claim for losses or damages
  

V. Term And Termination

• Term. The Term of this Agreement shall be effective as of the Effective Date and shall terminate when: (i) all of the PHI provided by Covered Entity to Business Associate or created or received by Business Associate on behalf of Covered Entity is returned to Covered Entity or destroyed (and a certificate of destruction is provided) or, if such return or destruction is infeasible, when protections are extended to such information pursuant to paragraph (c)(ii) of this section; or (ii) upon the expiration or termination of the last of the Underlying Agreements.
  

• Termination for Cause. Upon Covered Entity’s knowledge of a material Breach by Business Associate, Covered Entity shall either:
  

  • Provide an opportunity for Business Associate to cure the Breach or end the violation, and terminate this Agreement and any Underlying Agreements if Business Associate does not cure the Breach or end the violation within the time specified by Covered Entity;
    

  • Immediately terminate this Agreement and any Underlying Agreements if Business Associate has breached a material term of this Agreement, and a cure is not possible.
    

• Effect of Termination
  

  • Except as provided in paragraph(c)(ii) of this section, upon termination of this Agreement for any reason, Business Associate shall return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of the Covered Entity. Business Associate shall make reasonable efforts to apply and enforce this provision with respect to PHI that is in the possession of Subcontractors of Business Associate. Business Associate shall retain no copies of the PHI except as Required by Law.
    

  • In the event that Business Associate determines that returning or destroying the PHI is infeasible, Business Associate shall extend the protections of this Agreement to such PHI, and limit further Uses and Disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI.
    

VI. Indemnification And Limitation Of Liability

Business Associate shall indemnify and hold harmless the Covered Entity and its officers, trustees, employees, and agents from any and all third-party claims, penalties, fines, costs, liabilities or damages, including but not limited to reasonable attorneys’ fees, incurred by the Covered Entity arising from a violation by Business Associate of its obligations under this Agreement.
‍
NOTWITHSTANDING THE FOREGOING OR ANY OTHER PROVISION IN THIS AGREEMENT TO THE CONTRARY, THE TOTAL AMOUNT BY WHICH BUSINESS ASSOCIATE AGREES TO INDEMNIFY THE COVERED ENTITY HEREUNDER SHALL NOT EXCEED THE FEES (AS DEFINED IN THE UNDERLYING AGREEMENTS)PAID TO BUSINESS ASSOCIATE BY CUSTOMER PURSUANT TO THE UNDERLYING AGREEMENTS FOR THE SIX (6) MONTH PERIOD IMMEDIATELY PRECEDING THE DATE OF THE ACCRUAL OF THE CLAIM. 

NOTWITHSTANDING ANYTHING TO THE CONTRARY CONTAINED IN THE UNDERLYING AGREEMENTS OR THIS AGREEMENT, IN NO EVENT SHALL EITHER PARTY BE LIABLE TO THE OTHER FOR LOST PROFITS OR REVENUE OR FOR INCIDENTAL, CONSEQUENTIAL, PUNITIVE, COVER, SPECIAL, RELIANCE OR EXEMPLARY DAMAGES, OR INDIRECT DAMAGES OF ANY TYPE OR KIND HOWEVER CAUSED, WHETHER FROM BREACH OF WARRANTY, BREACH OR REPUDIATION OF CONTRACT, NEGLIGENCE, GROSS NEGLIGENCE, WILLFUL MISCONDUCT OR ANY OTHER LEGAL CAUSE OF ACTION FROM OR IN CONNECTION WITH THE UNDERLYING AGREEMENTS OR THIS AGREEMENT (AND WHETHER OR NOT THE PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES) TO THE MAXIMUM EXTENT PERMITTED BY LAW.

VII. Waiver Of Jury Trial; Class Action Waiver

• Waiver of Jury Trial. THE PARTIES HEREBY IRREVOCABLY WAIVE, TO THE FULL ESTEXTENT PERMITTED BY LAW, ALL RIGHTS TO TRIAL BY JURY IN ANY ACTION, PROCEEDING, CAUSE OF ACTION, CLAIM OR COUNTERCLAIM ARISING OUT OF OR RELATING TO THIS AGREEMENT.  EACH OF THE PARTIES HERETO HAS FULLY DISCUSSED THIS SECTION, AND THESE PROVISIONS WILL NOT BE SUBJECT TO ANY EXCEPTIONS.  EACH PARTY HERETO HEREBY FURTHER WARRANTS AND REPRESENTS THAT SUCH PARTY HAS REVIEWED THIS WAIVER WITH ITS LEGAL COUNSEL, AND THAT SUCH PARTY KNOWINGLY AND VOLUNTARILY WAIVES ITS JURY TRIAL RIGHTS FOLLOWING CONSULTATION WITH LEGAL COUNSEL.
  

• Class Action Waiver.  COVERED ENTITY AGREES THAT ANY CLAIM IT MAY HAVE AGAINST BUSINESS ASSOCIATE, INCLUDING BUSINESS ASSOCIATE’S PAST OR PRESENT EMPLOYEES OR AGENTS, SHALL BE BROUGHT INDIVIDUALLY AND COVERED ENTITY SHALL NOT JOIN SUCH CLAIM WITH CLAIMS OF ANY OTHER PERSON OR ENTITY OR BRING, JOIN, OR PARTICIPATE IN A CLASS ACTION AGAINST BUSINESS ASSOCIATE
  

VIII. No Third-Party Beneficiaries

Nothing expressed or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than Covered Entity, Business Associate, and their respective successors and assigns, any rights, remedies, obligations, or liabilities whatsoever.

IX. Change In Applicable Laws Or Regulations

In the event the laws or regulations of the United States or the State in which the majority of services furnished pursuant to the Underlying Agreements are rendered are modified or amended in any material way with respect to this Agreement, this Agreement shall not be terminated but rather, to the extent feasible, shall be promptly amended by the Parties so that they may operate in compliance with the existing law. To the extent any amendments to this Agreement shall be necessary to effectuate or clarify the obligations of the Parties pursuant to such changes to the HIPAA Rules, the Parties hereby agree to negotiate such amendments in good faith, subject to the right of either Party to terminate this Agreement in accordance with its terms.

X. Modification

This Agreement may only be modified in a written document signed by the Parties and, thus, no oral modification hereof shall be permitted.

XI. Interpretation

Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits Covered Entity and Business Associate to comply with HIPAA, the HITECH Act, and the HIPAA Rules.

XII. Miscellaneous

• A reference in this Agreement to a section in the Privacy Rule means the section as in effect or amended.
  

• Nothing in this Agreement is intended to create an agency relationship between the Parties.
  

• Any notice required under this Agreement to be given to Business Associate shall be by email to Compliance@OfficeAlly.com. All notices to Covered Entity shall be by email to the email address on the Covered Entity’s Admin Account at the time the notice is to be sent.