Provider Business Associate Agreement
This Business Associate Agreement (this “BAA”) is entered into by and between Vim, Inc. (“Business Associate”) and the Provider (“Covered Entity”) named in the Order Form, Statement of Work or similar document (the “SOW” or “Order”) that references this BAA. This BAA forms part of the SOW, which is subject to this BAA. Each of Business Associate and Covered Entity are also referred to herein as a “Party” and, collectively, the “Parties”. Except as otherwise defined in this BAA, any and all capitalized terms in this BAA shall have the definitions set forth in the HIPAA Rules as in effect or as amended from time to time.
WHEREAS, Business Associate wishes to provide via licensed use of Business Associate’s proprietary technology platform (i) direct scheduling and scheduling request submission via a website (ii) referral notification to patients via SMS (iii) reporting capability and (iv) other services as documented in an Agreement, as defined herein (together, the “Services”) for Covered Entity, the performance of which will involve the disclosure or use of Protected Health Information (“PHI”) which information is subject to protection under the Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104191 (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health Act, Title XIII of the American Recovery and Reinvestment Act of 2009 (“HITECH”), and their related regulations promulgated by the Secretary of the U.S. Department of Health and Human Services (the “Secretary”) (collectively, the “HIPAA Rules”); and
WHEREAS, in order to meet their obligations under the HIPAA Rules, Covered Entity and Business Associate agree to be bound by and follow the terms set forth in this BAA.
The Parties, intending to be legally bound, agree as follows:
A. Permitted Uses and Disclosures by Business Associate:
1. Agreement: The “Agreement” shall mean the applicable agreement between Covered Entity and Business Associate under which Business Associate provides services to Covered Entity which involve the use or disclosure of PHI. Except as otherwise limited in this BAA, Business Associate may use or disclose PHI to perform services for, or on behalf of, Covered Entity as specified in the Agreement, provided that such use or disclosure of PHI would not otherwise violate the HIPAA Rules if such use or disclosure of PHI was made by Covered Entity.
2. Administrative Use and Disclosure: Except as otherwise limited in this BAA, Business Associate may use PHI for the proper management and administration of the Business Associate or to carry out its legal responsibilities. Business Associate may also disclose PHI for the proper management and administration of the Business Associate, provided that: (i) disclosures are required by law, or (ii) Business Associate obtains reasonable assurances from the third party to whom the information is disclosed that the third party will (a) protect the confidentiality of the PHI, (b) use or further disclose the PHI only as required by law or for the purpose for which it was disclosed to the third party, and (c) notify the Business Associate of any instances it becomes aware of in which the confidentiality of the PHI has been breached.
3. Data Aggregation: Business Associate may use PHI to provide data aggregation services related to the healthcare operations of Covered Entity.
4. Data De-identification: Business Associate may use PHI to create de-identified health information in accordance with the HIPAA Rules. Business Associate may disclose or use de-identified health information for any purpose permitted by law.
B. Business Associate’s Obligations:
1. Permitted Use and Disclosure of PHI: Business Associate agrees to use or disclose PHI only as permitted or required by the Agreement, this BAA or as required by law.
2. Appropriate Safeguards: Business Associate agrees to use appropriate safeguards to help prevent the use or disclosure of the PHI other than as provided for by this BAA. Without limiting the generality of the foregoing sentence, Business Associate will:
3. Reporting: Business Associate agrees to report, without unreasonable delay, to Covered Entity any use or disclosure of PHI by Business Associate, or a third party to which Business Associate disclosed PHI, which was not permitted by this BAA or by law of which Business Associate becomes aware.
4. Minimum Necessary Standard: To the extent required by the “minimum necessary” requirements of the HIPAA Rules, Business Associate shall only use or disclose the minimum amount of PHI necessary to accomplish the purpose of the use or disclosure.
5. Subcontractors: Business Associate shall enter into a written agreement meeting the requirements of the HIPAA Rules with each of its subcontractors (including, without limitation, a subcontractor that is an agent under applicable law) that creates, receives, maintains or transmits PHI on behalf of Business Associate. Business Associate shall ensure that the written agreement with each Subcontractor obligates the Subcontractor to comply with restrictions and conditions that are at least as restrictive as the restrictions and conditions that apply to Business Associate under this BAA.
6. Access to Books and Records: Business Associate agrees to make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of Covered Entity, available to the Secretary for purposes of the Secretary determining Covered Entity’s and Business Associate’s compliance with the HIPAA Rules.
7. Individual Requests: Business Associate agrees to, within fifteen (15) business days of a request for an accounting of disclosures of PHI from Covered Entity, make available to Covered Entity such information as is in Business Associate’s possession and as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with the HIPAA Rules. If Business Associate receives a request for an accounting directly from an Individual, Business Associate shall forward such request to Covered Entity within ten (10) business days. Covered Entity shall have the sole responsibility to provide an accounting of disclosures.
8. Covered Entity: To the extent Business Associate carries out an obligation of Covered Entity under the HIPAA Rules, Business Associate shall comply with the requirements of the HIPAA Rules that apply to Covered Entity in the performance of such obligation.
C. Covered Entity’s Obligations:
1. Impermissible Requests by Covered Entity: Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if the requested use or disclosure of PHI was made by Covered Entity.
2. Minimum Necessary PHI: When Covered Entity discloses PHI to Business Associate, Covered Entity shall only provide the minimum amount of PHI necessary for Business Associate to perform the services provided in the Agreement.
3. Notifications: Covered Entity shall notify Business Associate, as soon as reasonably practicable, but in no more than ten (10) days from the date Covered Entity became aware, of any changes that would directly relate to Business Associate’s use or disclosure of PHI under the terms of the Agreement, this BAA or as required by law, including:
D. Term and Termination:
1. Term: This BAA shall terminate when all of the PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy PHI, protections are extended to such information, in accordance with the termination provisions in this Section E.
2. Termination Upon Breach: Either Party (the “Non-Breaching Party”), upon knowledge of a material breach of a term of this BAA by the other Party (the “Breaching Party”), shall provide an opportunity for the Breaching Party to cure the breach or end the violation. If the Breaching Party does not cure the breach or end the violation within thirty (30) calendar days from the date the Non-Breaching Party provided notice to the Breaching Party of the breach or violation, the Non-Breaching Party may terminate: (A) this BAA; (B) all of the provisions of the Agreement that involve the use or disclosure of PHI; and (C) such other provisions, if any, of the Agreement as the Non-Breaching Party designates in its sole discretion, including the entire Agreement. In the event that termination of this BAA is not feasible, in the Non-Breaching Party’s sole discretion, the Non-Breaching Party has the right to report the breach to the Secretary.
3. Effect of Termination: No later than thirty (30) calendar days following the termination of this BAA, unless otherwise directed by the Covered Entity, Business Associate shall either return or destroy all PHI received from the Covered Entity or created or received by Business Associate on behalf of the Covered Entity in which Business Associate maintains in any form. Business Associate shall not retain any copies of such PHI. Notwithstanding the foregoing, in the event that Business Associate determines that returning or destroying the PHI is infeasible upon termination of this BAA, Business Associate shall provide to Covered Entity notification of the condition that makes return or destruction infeasible. To the extent that it is not feasible for Business Associate to return or destroy such PHI, the terms and provisions of this BAA shall survive such termination or expiration and such PHI shall be used or disclosed solely as permitted by law for so long as Business Associate maintains such PHI. The above notwithstanding, Business Associate may retain PHI which is necessary for the Business Associate to continue its proper management and administration or to carry out its legal responsibilities. The Business Associate will continue to use all safeguards set out in this BAA with regards to any PHI it retains after the termination of this BAA.
E. Miscellaneous Terms:
1. Interpretation: Any ambiguity in this BAA shall be resolved so that both the Covered Entity and the Business Associate can comply with the HIPAA Rules.
2. Survival: The respective rights and obligations of Business Associate under Section D.3. of this BAA shall survive termination of the Agreement and this BAA.