This Business Associate Agreement (“Agreement”) is an addendum to the Arrangement between eKare, Inc., a Delaware corporation, and Covered Entity. Capitalized terms used in this Agreement shall have the meanings set forth in Section 1, below.
WHEREAS, Business Associate will have access to and/or to collect or create Electronic Protected Health Information and Protected Health Information (which are collectively referred to as “Protected Health Information” and are defined below) in order to carry out Business Associate’s functions on behalf of Covered Entity;
WHEREAS, Covered Entity and Business Associate intend to protect the privacy and provide for the security of Protected Health Information disclosed, collected or created by Business Associate in connection with the Arrangement in compliance with the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 (“HIPAA”), Subtitle D of Title XIII of Division A of the American Recovery and Reinvestment Act of 2009, Public Law 111-5 (“HITECH”) and the regulations promulgated under HIPAA and HITECH, including, without limitation, the privacy, security, breach notification and enforcement rules at 45 CFR Part 160 and Part 164, in each case, as amended from time to time (collectively referred to hereinafter as the “HIPAA Regulations”); and
WHEREAS, the HIPAA Regulations require Covered Entity and Business Associate to enter into an agreement containing certain requirements with respect to the use and disclosure of Protected Health Information and which are contained in this Agreement.
NOW, THEREFORE, in consideration of the mutual promises contained herein and the exchange of information pursuant to this Agreement, the parties agree as follows:
- Definitions. Terms used, but not otherwise defined, in this Agreement shall have the same meanings as those terms in the HIPAA Regulations, except that the terms “Protected Health Information” and “Electronic Protected Health Information” shall have the same meanings as set forth in 45 C.F.R. § 160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity in connection with the Arrangement.
- “Arrangement” shall mean any and all service agreements, including in each case, any related terms and conditions or addendums entered into between Business Associate and Covered Entity pursuant to which Business Associate has agreed to provide services to Covered Entity.
- ”Authorized User” shall mean an individual designated from time to time by Covered Entity to Business Associate as an authorized user of the communications service provided to Covered Entity.
- “Covered Entity” shall mean the Customer and its Affiliates (as defined in the Arrangement) to whom EKare, Inc., provides services or performs functions or activities, to the extent such Customer and Affiliates are covered entities under HIPAA.
- Obligations of Business Associate.
- Permitted Uses and Disclosures. Business Associate may use and disclose Protected Health Information to perform services as contemplated by the Arrangement. Business Associate agrees to not use or disclose Protected Health Information other than as permitted or required by the Arrangement, this Agreement or as Required By Law. Business Associate shall not use Protected Health Information in any manner that would constitute a violation of the HIPAA Regulations, or other applicable federal or state law if so used by Covered Entity, except that Business Associate may use Protected Health Information to the extent otherwise permitted by this Agreement as follows: (i) for the proper management and administration of Business Associate; (ii) to carry out the legal responsibilities of Business Associate, provided that disclosures for the purposes set forth in clause (i) or (ii) are Required By Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached; or (iii) for Data Aggregation services related to the Health Care Operations of the Covered Entity. Business Associate may de-identify Protected Health Information in accordance with 45 C.F.R 164.514(a)-(c). Any such de-identified information shall not be Protected Health Information and shall not be subject to the terms of this Agreement. To the extent permitted by law, as between Business Associate and Covered Entity, any such de-identified information shall be owned by Business Associate.
- Appropriate Privacy and Security Safeguards. Business Associate agrees to use appropriate physical, administrative and technical safeguards that (i) reasonably and appropriately protect the confidentiality, integrity and availability of Protected Health Information that it creates, receives, maintains or transmits on behalf of Covered Entity, and (ii) prevent the use or disclosure of the Protected Health Information other than as provided for by this Agreement.
- Security Compliance. Business Associate shall comply with Subpart C of 45 CFR Part 164 with respect to Electronic Protected Health Information.
- Reporting of Security Incident, Improper Use or Disclosure and Breach. Business Associate agrees to report to Covered Entity (i) any Security Incident; and (ii) any use or disclosure of the Protected Health Information not provided for by this Agreement, of which it becomes aware. Notwithstanding the foregoing, Business Associates shall only be required to notify Covered Entity of attempted, unsuccessful Security Incidents on a reasonable basis to be determined by written request of the Covered Entity. Business Associate further agrees to notify Covered Entity of any Breach of Unsecured Protected Health Information in accordance with 45 CFR 164.410 of which Business Associate becomes aware, to the extent that Business Associate accesses, maintains, retains, modifies, records, stores, destroys or otherwise holds, uses or discloses Unsecured Protected Health Information.
- Mitigation. Business Associate agrees to mitigate, to the extent practicable, any harmful effect from any Breach of Unsecured Protected Health Information or other Security Incident or inconsistent use or disclosure of Protected Health Information, which Business Associate is required to report to Covered Entity pursuant to this Agreement.
- Agents and Subcontractors. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, Business Associate agrees to ensure that any agent, including a subcontractor, that creates, receives, maintains or transmits Protected Health Information received on behalf of Business Associate, or created or received by Business Associate on behalf of Covered Entity, agrees (i) to the same restrictions, conditions and requirements that apply through this Agreement to Business Associate with respect to such information; and (ii) to implement reasonable and appropriate safeguards to protect it.
- Access. Business Associate agrees to provide access, at the request of Covered Entity, to Protected Health Information in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual or his or her designee in order to meet the requirements under 45 C.F.R. § 164.524
- Amendment. Business Associate agrees to make any amendment(s) to Protected Health Information in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526 at the request of Covered Entity or an Individual.
- Accounting. Business Associate agrees to document such disclosures of Protected Health Information and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 C.F.R. § 164.528. Business Associate agrees to maintain and make available the information collected in accordance with this Section 2.i. of this Agreement and as required to provide an accounting of disclosures to the Covered Entity as necessary for Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 C.F.R. § 164.528.
- Government Access. Business Associate agrees to make internal practices, books and records, including policies and procedures and Protected Health Information, relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of, Covered Entity available to the Secretary for purposes of the Secretary determining Covered Entity’s compliance with the HIPAA Regulations.
- Minimum Necessary. Business Associate agrees to make uses and disclosures and requests for Protected Health Information consistent with Covered Entity’s minimum necessary policies and procedures as determined by Covered Entity and communicated to Business Associate from time to time.
- Compliance. To the extent Business Associate will carry out one or more obligations of Covered Entity under Subpart E of 45 CFR Part 164, Business Associate shall comply with the requirements of Subpart E that apply to a Covered Entity in the performance of such obligations.
- Obligations of Covered Entity
- Inform Business Associate of Privacy Practices and Restrictions. Covered Entity shall notify Business Associate in writing of any limitation(s) in its notice of privacy practices of Covered Entity in accordance with 45 C.F.R. § 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of Protected Health Information. Covered Entity shall notify Business Associate in writing of any changes in, or revocation of, permission by Individual to use or disclose Protected Health Information, to the extent that such changes may affect Business Associate’s use or disclosure of Protected Health Information. Covered Entity shall notify Business Associate in writing of any restriction to the use or disclosure of Protected Health Information that Covered Entity has agreed to or is required to implement in accordance with 45 C.F.R. § 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of Protected Health Information.
- Minimum Necessary. Covered Entity shall disclose, and require Authorized Users to disclose, to Business Associate only the minimum necessary Protected Health Information for Business Associate to accomplish its obligations under the Arrangement
- Permissible Requests by Covered Entity. Covered Entity shall not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under the Subpart E of 45 CFR Part 164 if done by Covered Entity, except that Business Associate may use and disclose Protected Health Information for its own proper management and administration or legal responsibilities or for data aggregation services as described in Section (2)(a).
- Applicable Law. Covered Entity shall comply with the all applicable law, including the HIPAA Regulations.
- Scope of Covered Entity Risk Management Program. Without limiting any other provision hereof, Covered Entity represents, warrants and covenants, at all times hereunder that (i) has conducted a risk analysis as required by HIPAA, including without limitation, as to the particular risks noted below, and shall periodically update such analysis during the term; and (ii) based on such risk analysis, it has adopted and shall maintain a HIPAA risk management program that includes appropriate physical, technical and administrative safeguards to reduce risk to reasonable and appropriate level consistent with HIPAA, including without limitation, as to the following particular risks:
- COMMUNICATIONS MADE OUTSIDE OF EKARE PLATFORM. COVERED ENTITY ACKNOWLEDGES AND AGREES THAT TEXTING AND OTHER COMMUNICATIONS OF PROTECTED HEALTH INFORMATION THAT COVERED ENTITY OR AN AUTHORIZED USER REQUEST EKARE TO RELAY OUTSIDE OF THE EKARE COMMUNICATIONS PLATFORM (INCLUDING, FOR EXAMPLE, WHERE COVERED ENTITY OR AUTHORIZED USER REQUESTS THAT EKARE RELAY A MESSAGE BY SMS TEXT) POSE HEIGHTENED PRIVACY AND SECURITY RISKS. COVERED ENTITY FURTHER ACKNOWLEDGES AND AGREES THAT IT IS COVERED ENTITY’S SOLE RESPONSIBILITY TO DETERMINE, AS PART OF ITS HIPAA RISK ANALYSIS, WHETHER TO PROHIBIT OR PERMIT SUCH COMMUNICATIONS AND, TO THE EXTENT SUCH COMMUNICATIONS ARE PERMITTED, TO IMPLEMENT APPROPRIATE SAFEGUARDS (INCLUDING POLICIES, PROCEDURES AND TRAINING OF ALL AUTHORIZED USERS) TO MANAGE THESE RISKS TO A REASONABLE AND APPROPRIATE LEVEL CONSISTENT WITH HIPAA.
- Business Associate is hereby expressly authorized and directed by Covered Entity to communicate Protected Health Information outside of Business Associate’s communications platform as necessary for the Arrangement, including without limitation, to make such communications to any mobile device and in any manner (including by SMS text) designated by Covered Entity or any Authorized User. In making communications as requested by Covered Entity or an Authorized User, Business Associate shall rely on Covered Entity’s representations under this Section (3)(e). Business Associate agrees to comply, within thirty (30) days of receipt of same, with your reasonable direction to us as to the types and amounts of Protected Health Information that may, consistent with your risk analysis, be included in any such communications originating from us, or with any written direction from you prohibiting us, consistent with your risk analysis, from relaying communications of Protected Health Information outside of the EKare communications platform
- Certain Third Party Services. Covered Entity acknowledges and agrees that functionalities, capabilities or services provided to it or its authorized users directly by third parties (“Third-Party Services”), including WITHOUT LIMITATION services that are innate to a particular mobile device (such as use of “Siri” dictation services on an iPhone) are NOT provided by EKare. Covered Entity shall remain solely responsible for adopting appropriate safeguards with respect to such Third-Party Services (including, where appropriate, policies and procedures prohibiting authorized users from using certain Third Party Services to send, receive, maintain or transmit protected health information), and for the accuracy, security and privacy of communications sent, received, maintained or transmitted using such Third-Party Services, including, putting in place business associate agreements with any such third parties, if required by hipaa
- Indemnification. Each party shall indemnify and hold harmless the other party and its respective affiliates, partners, members, shareholders, directors, officers, employees, contractors or agents, from and against any and all claims, causes of action, liabilities, losses, damages, lost profits, penalties, assessments, judgments, awards or costs (including cost of notification or remediation relating to notification for individuals whose Protected Health Information or personal information is inappropriately accessed, used or disclosed), including reasonable attorneys’ fees and costs (collectively, “Liabilities”), arising out of, resulting from, or relating to (i) the breach of this Agreement by either party or its Authorized Users, or (ii) the negligent acts or omissions of either party or its employees, agents, subcontractors or Authorized Users. Indemnification by Covered Entity shall include, without limitation, indemnification of Liabilities arising out of, or resulting from, or relating to (i) Breaches of Protected Health Information or personal information resulting from the loss or theft of, or other unauthorized access to Protected Health Information communicated by Business Associate as requested by Covered Entity and/or its Authorized Users outside Business Associate’s communications platform as permitted by Section (3)(e) of this Agreement; (ii) loss, theft or other unauthorized access to Protected Health Information stored unencrypted on mobile devices used by Covered Entity and/or its Authorized Users; (iii) compliance by Business Associate with Covered Entity’s directives hereunder; or (iv) use by Covered Entity or any Authorized User of Third Party Services. This Section (3)(f) shall survive the expiration or termination of this Agreement or the Arrangement.
- Term and Termination.
- Term. The Term of this Agreement shall be effective immediately upon execution of the EKare Sales Order , and shall terminate upon the earlier to occur of (i) the termination of the Arrangement for any reason or (ii) the termination of this Agreement pursuant to the provisions herein.
- Termination for Cause. Either party may terminate this Agreement due to a material breach of this Agreement by the other party upon giving the other party thirty (30) days’ prior written notice, provided the breaching party does not cure the breach prior to the effective date of termination.
- Effect of Termination. Upon the termination of this Agreement for any reason, Business Associate shall return or destroy all Protected Health Information received from Covered Entity or created or received by Business Associate on behalf of Covered Entity. This provision shall apply to Protected Health Information that is in the possession of subcontractors or agents of Business Associate. Business Associate shall retain no copies of the Protected Health Information. If Business Associate determines that returning or destroying the Protected Health Information is infeasible, Business Associate shall extend the protections of this Business Associate Agreement to such Protected Health Information and limit further uses and disclosures of such Protected Health Information to those purposes that make the return or destruction infeasible for so long as Business Associate maintains such Protected Health Information.
- This Agreement may be amended from time to time by EKare, by notifying Covered Entity of such amendments and posting amendments to its website. Such amendments shall be effective thirty (30) days after posting.
- The provisions of this Agreement shall survive the termination or expiration of the Arrangement.
- This Agreement and the Arrangement shall be interpreted as broadly as necessary to implement and comply with the HIPAA Regulations. The parties agree that any ambiguity in this Agreement shall be resolved in favor of a meaning that complies and is consistent with the HIPAA Regulations. In the event of any conflict between the terms of the Arrangement and this Agreement with regard to the use or disclosure of Protected Health Information, the terms of this Agreement shall govern. If a court finds any portion of this Agreement to be void or unenforceable, the parties intend that the court construe the remaining portions of the Agreement to be in full force and effect.
- Governing Law. This Agreement shall be construed in accordance with the laws of the state of Virginia.
- All notices required or permitted under this Agreement shall be in writing, except as otherwise provided, and sent to the other party at the address for such other party on the records of the party providing the notice. All such notices shall be deemed validly given upon receipt of such notice by certified mail, postage prepaid, facsimile transmission or personal or courier delivery.