This Business Associate Agreement (this “BAA”) is entered into by and between Vim, Inc. (“Business Associate”) and the Provider (“Covered Entity”) named in the Order Form, Statement of Work or similar document (the “SOW” or “Order”) that references this BAA. This BAA forms part of the SOW, which is subject to this BAA. Each of Business Associate and Covered Entity are also referred to herein as a “Party” and, collectively, the “Parties”. Except as otherwise defined in this BAA, any and all capitalized terms in this BAA shall have the definitions set forth in the HIPAA Rules as in effect or as amended from time to time.
WHEREAS, Business Associate wishes to provide via licensed use of Business Associate’s proprietary technology platform and other services as documented in an Agreement, as defined herein (together, the “Services”) for Covered Entity, the performance of which will involve the disclosure or use of Protected Health Information (“PHI”) which information is subject to protection under the Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104191 (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health Act, Title XIII of the American Recovery and Reinvestment Act of 2009 (“HITECH”), and their related regulations promulgated by the Secretary of the U.S. Department of Health and Human Services (the “Secretary”) (collectively, the “HIPAA Rules”);
WHEREAS, in order to meet their obligations under the HIPAA Rules, Covered Entity and Business Associate agree to be bound by and follow the terms set forth in this BAA.
The Parties, intending to be legally bound, agree as follows:
A. Permitted Uses and Disclosures by Business Associate:
1. Agreement: The “Agreement” shall mean the applicable agreement between Covered Entity and Business Associate under which Business Associate provides services to Covered Entity which involve the use or disclosure of PHI. To the extent Provider Data (as defined in the Agreement) is PHI, except as otherwise limited in this BAA, Business Associate may use or disclose PHI as specified in the Agreement, provided that such use or disclosure of PHI would not otherwise violate the HIPAA Rules if such use or disclosure of PHI was made by Covered Entity.
2. Administrative Use and Disclosure: Except as otherwise limited in this BAA, Business Associate may use PHI for the proper management and administration of the Business Associate or to carry out its legal responsibilities. Business Associate may only disclose PHI for the proper management and administration of the Business Associate, provided that: (i) disclosures are required by law, or (ii) Business Associate obtains reasonable assurances from the third party to whom the information is disclosed that the third party will (a) protect the confidentiality of the PHI, (b) use or further disclose the PHI only as required by law or for the purpose for which it was disclosed to the third party, and (c) notify the Business Associate of any instances it becomes aware of in which the confidentiality of the PHI has been breached.
3. Data Aggregation: Business Associate may use PHI to provide data aggregation services related to the healthcare operations of Covered Entity.
B. Business Associate’s Obligations:
1. Permitted Use and Disclosure of PHI: Business Associate agrees to use or disclose PHI only as permitted or required by the Agreement, this BAA or as required by law. With regard to its use and/or disclosure of PHI, Business Associate agrees to:
1.1 not use and/or further disclose PHI except as necessary to provide the Services, as permitted or required by this Exhibit, and in compliance with each applicable requirement of 45 C.F.R. § 164.504(e), or as otherwise Required by Law; provided that, to the extent Business Associate is to carry out a Covered Entity’s obligations under the Privacy Rule, Business Associate will comply with the requirements of the Privacy Rule that apply to that Covered Entity in the performance of those obligations.
1.2 not use, transfer, transmit, or otherwise send or make available any PHI outside of the geographic confines of the United States of America without Provider’s advance written consent.
1.3 Some of the PHI provided to Business Associate may be substance use disorder information subject to the confidentiality requirements set forth in 42 C.F.R. Part 2 (“Part 2 Records”). Business Associate shall not re-disclose Part 2 Records to a third party unless the third party is an agent or a contractor of Business Associate who: (i) has agreed to be fully bound by 42 C.F.R. Part 2 upon receipt of Part 2 Records; (ii) is helping Business Associate to carry out the requirements described in this Agreement (iii) has received notice that 42 C.F.R. Part 2 prohibits unauthorized disclosure of Part 2 Records; and (iv) has agreed to only further disclose the Part 2 Records: (a) to its subcontractors who have agreed to be fully bound by 42 C.F.R. Part 2 upon receipt of Part 2 Records; and (b) back to Business Associate or the Provider from which the Part 2 Records originated.
2. Appropriate Safeguards: Business Associate agrees to use appropriate safeguards to help prevent the use or disclosure of the PHI other than as provided for by this BAA. Without limiting the generality of the
foregoing sentence, Business Associate will: i. Implement administrative, organizational, physical, and technical safeguards that are reasonably and appropriately designed to help protect the confidentiality, integrity and availability of Electronic PHI that it creates, receives, maintains or transmits on behalf of Covered Entity as required by the HIPAA Security Rule; ii. Report to Covered Entity any Security Incident involving Electronic PHI of which Business Associate becomes aware. Any actual, successful Security Incident will be reported to Covered Entity in writing without unreasonable delay. Any attempted, unsuccessful Security Incident of which Business Associate becomes aware will be reported to Covered Entity orally or in writing on a reasonable basis, as requested by Covered Entity. If the HIPAA Rules are amended to remove the requirement to report unsuccessful attempts at unauthorized access, the requirement hereunder to report such unsuccessful attempts will no longer apply as of the effective date of the amendment; iii. Notify Covered Entity following the discovery of a Breach of Unsecured PHI in accordance with the HIPAA Rules and without unreasonable delay and in no case later than five (5) days (or within any shorter deadline imposed by applicable State law) after discovery of the Breach. A Breach is considered “discovered” as of the first day on which the Breach is known, or reasonably should have been known, to Business Associate or any employee, officer or agent of Business Associate, other than the individual committing the Breach. Any notice of a Security Incident or Breach of Unsecured PHI shall include the identification of each Individual whose PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired or disclosed during such Security Incident or Breach, as well as, any other relevant information regarding the Security Incident or Breach.
3. Reporting: Business Associate agrees to promptly report, without unreasonable delay, to Covered Entity any use or disclosure of PHI by Business Associate, or a third party to which Business Associate disclosed PHI, which was not permitted by this BAA or by law of which Business Associate becomes aware.
4. Minimum Necessary Standard: To the extent required by the “minimum necessary” requirements of the HIPAA Rules, Business Associate shall only use or disclose the minimum amount of PHI necessary to accomplish the purpose of the use or disclosure.
5. Subcontractors: Business Associate shall enter into a written agreement meeting the requirements of the HIPAA Rules with each of its subcontractors (including, without limitation, a subcontractor that is an agent under applicable law) that creates, receives, maintains or transmits PHI on behalf of Business Associate. Business Associate shall ensure that the written agreement with each Subcontractor obligates the Subcontractor to comply with restrictions and conditions that are at least as restrictive as the restrictions and conditions that apply to Business Associate under this BAA. Business Associate shall require its subcontractors (and shall require those subcontractors to require their subcontractors) to report to Business Associate any use or disclosure of PHI or Security Incident required to be reported under Section 3 on or before seventy-two (72) hours after its discovery by any of those subcontractors.
6. Access to Books and Records: Business Associate agrees to make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of Covered Entity, available to the Secretary for purposes of the Secretary determining Covered Entity’s and Business Associate’s compliance with the HIPAA Rules.
7. Individual Requests: Business Associate agrees to, within fifteen (15) business days of a request for an accounting of disclosures of PHI from Covered Entity, make available to Covered Entity such information as is in Business Associate’s possession and as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with the HIPAA Rules. If Business Associate receives a request for an accounting directly from an Individual, Business Associate shall forward such request to Covered Entity within ten (10) business days. Covered Entity shall have the sole responsibility to provide an accounting of disclosures.
8. Covered Entity: To the extent Business Associate carries out an obligation of Covered Entity under the HIPAA Rules, Business Associate shall comply with the requirements of the HIPAA Rules that apply to Covered Entity in the performance of such obligation.
C. Covered Entity’s Obligations:
1. Impermissible Requests by Covered Entity: Covered Entity shall not request Business Associate to use
or disclose PHI in any manner that would not be permissible under the HIPAA Rules if the requested use
or disclosure of PHI was made by Covered Entity.
2. Minimum Necessary PHI: When Covered Entity discloses PHI to Business Associate, Covered Entity shall only provide the minimum amount of PHI necessary for Business Associate to perform the services provided in the Agreement.
3. Notifications: Covered Entity shall notify Business Associate, as soon as reasonably practicable, but in no more than ten (10) days from the date Covered Entity became aware, of any changes that would directly relate to Business Associate’s use or disclosure of PHI under the terms of the Agreement, this BAA or as required by law, including: i. Privacy Practices: any changes to Covered Entity’s Notice of Privacy Practices that may affect Business Associate’s use or disclosure of PHI; ii. Individual Rights: any changes in, or revocation of, permission(s) granted by an Individual, including authorization to use or disclose his or her PHI, to the extent that such changes may affect Business Associate’s use or disclosure of the PHI; and iii. Restrictions on use of an Individual’s PHI: any changes to restrictions made by an Individual regarding the use or disclosure of his or her PHI which Covered Entity agreed to that may affect Business Associate’s use or disclosure of the PHI. Covered Entity shall not agree to any restrictions on the use or disclosure of PHI that would restrict Business Associate’s use or disclosure of PHI under this BAA, unless Business Associate grants its written consent.
D. Term and Termination:
1. Term: This BAA shall terminate when all of the PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy PHI, protections are extended to such information, in accordance with the termination provisions in this Section E.
2. Termination Upon Breach: Either Party (the “Non-Breaching Party”), upon knowledge of a material breach of a term of this BAA by the other Party (the “Breaching Party”), shall provide an opportunity for the Breaching Party to cure the breach or end the violation. If the Breaching Party does not cure the breach or end the violation within thirty (30) calendar days from the date the Non-Breaching Party provided notice to the Breaching Party of the breach or violation, the Non-Breaching Party may terminate: (A) this BAA; (B) all of the provisions of the Agreement that involve the use or disclosure of PHI; and (C) such other provisions, if any, of the Agreement as the Non-Breaching Party designates in its sole discretion, including the entire Agreement. In the event that termination of this BAA is not feasible, in the Non-Breaching Party’s sole discretion, the Non-Breaching Party has the right to report the breach to the Secretary.
3. Effect of Termination: No later than thirty (30) calendar days following the termination of this BAA, unless otherwise directed by the Covered Entity, Business Associate shall either return or destroy all PHI received from the Covered Entity or created or received by Business Associate on behalf of the Covered Entity in which Business Associate maintains in any form. Business Associate shall not retain any copies of such PHI. Notwithstanding the foregoing, in the event that Business Associate determines that returning or destroying the PHI is infeasible upon termination of this BAA, Business Associate shall provide to Covered Entity notification of the condition that makes return or destruction infeasible. To the extent that it is not feasible for Business Associate to return or destroy such PHI, the terms and provisions of this BAA shall survive such termination or expiration and such PHI shall be used or disclosed solely as permitted by law for so long as Business Associate maintains such PHI. The above notwithstanding, Business Associate may retain PHI which is necessary for the Business Associate to continue its proper management and administration or to carry out its legal responsibilities. The Business Associate will continue to use all safeguards set out in this BAA with regards to any PHI it retains after the termination of this BAA.
E. Miscellaneous Terms:
1. Interpretation: Any ambiguity in this BAA shall be resolved so that both the Covered Entity and the Business Associate can comply with the HIPAA Rules.
2. Survival: The respective rights and obligations of Business Associate under Section D.3. of this BAA shall survive termination of the Agreement and this BAA.
3. No Third Party Beneficiaries. Nothing in this Exhibit shall confer upon any person other than the Parties and their respective successors or assigns, any rights, remedies, obligations or liabilities whatsoever.