This Business Associate Agreement (the “Agreement”) is entered into this ___ day of ___________, 202_ by and between _____________________ (on behalf of itself and its subsidiaries) (“Covered Entity”) and Health Platforms Group, Inc. and its subsidiaries (dba Doctor.com) (“Business Associate”).
- Covered Entity and Business Associate are, or may become in the future, parties to various agreements (the “Underlying Agreement(s)”), under which Business Associate may perform on behalf of Covered Entity functions or activities involving the use and/or disclosure of Protected Health Information (“PHI”);
- The parties are entering into this Agreement to set forth and govern the terms and conditions under which Business Associate may use, disclose, transmit or receive PHI on behalf of Covered Entity and to meet the requirements of the business associate provisions of the Privacy and Security Standards set forth in the Health Insurance Portability and Accountability Act of 1996, and any amendments or implementing regulations (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act, (Title XIII of the American Recovery and Reinvestment Act of 2009), and any amendments or implementing regulations (“HITECH”) (collectively, the “HIPAA Rules”).
NOW THEREFORE, Business Associate agrees to the terms and conditions set forth in this Agreement as follows:
- Definitions. Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms are defined under the HIPAA Rules.
- Compliance with Applicable Law. The parties acknowledge and agree that each party shall comply with its obligations under this Agreement and with all related obligations under the HIPAA Rules and other applicable laws and regulations, as they exist at the time this Agreement is executed and as they are amended or superseded, for so long as this Agreement is in place.
- Uses and Disclosures of PHI. Business Associate and its directors, officers, employees, subcontractors and agents, may use and disclose PHI only if necessary and appropriate to carry out the purposes specified in the Underlying Agreement(s), this Agreement, and for such other purposes as permitted by this Agreement, HIPAA or as required by law, including:
- Business Associate may use PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate;
- Business Associate may disclose PHI for the proper management and administration, or to carry out the legal responsibilities, of the Business Associate, provided that disclosures are required by HIPAA, or Business Associate obtains reasonable written assurances from the person or entity to whom the PHI is disclosed that it will remain confidential and be used or further disclosed only as required by law or for the purpose for which it was disclosed to the person or entity, and the person or entity agrees to notify the Business Associate of any instances of which it is aware or suspects that the confidentiality of the PHI has been breached. In such case, Business Associate shall report such known or suspected breaches to Covered Entity promptly and in accordance with timeframes set forth in this Agreement; and
- Business Associate may use Protected Health Information to create de-identified information consistent with the standards set forth at 45 CFR §164.514.
- Limitations on Uses and Disclosures of PHI. Business Associate shall not, and shall ensure that its directors, officers, employees, and agents do not, use or disclose PHI received from Covered Entity in any manner that would constitute a violation of HIPAA or is not permitted or required by this Business Associate Agreement or required by law. All uses and disclosures of and requests by Business Associate for PHI are subject to the minimum necessary rule of the Privacy Standards.
- Required Safeguards To Protect PHI. Business Associate agrees that it will implement appropriate safeguards to prevent the use or disclosure of PHI other than pursuant to the terms and conditions of this Agreement. To the extent that Business Associate accesses, creates, receives, maintains or transmits Electronic PHI (“ePHI”) in performance of its duties on behalf of Covered Entity, Business Associate shall comply with the HIPAA Security Rule (45 C.F.R. Part 164, Subpart C), and accordingly shall implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the ePHI.
- Reporting of Improper Use and Disclosures of PHI. Business Associate shall promptly, and without unreasonable delay, report to Covered Entity any use or disclosure of PHI in violation of this Agreement by Business Associate, its officers, directors, employees, or agents, or by a third party to whom Business Associate disclosed PHI, including any Breach of Unsecured PHI in accordance with 45 C.F.R. §§ 164.400-414, and any Security Incident, as defined in 45 C.F.R. §164.304, of which it becomes aware. The parties acknowledge and agree that this section hereby constitutes notice of “unsuccessful Security Incidents” which include, but are not limited to, pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of such activities, so long as no such incident results in unauthorized access, use or disclosure of electronic PHI.
- Mitigation of Harmful Effects. Business Associate agrees to mitigate, to the extent practicable, any harmful effect of a use or disclosure of PHI by Business Associate in violation of the requirements of the HIPAA Rules or this Agreement.
- Agreements by Third Parties. Business Associate shall enter into an agreement with any agent or subcontractor of Business Associate that will access, create, receive, maintain or transmit PHI in connection with the services Business Associate provides to or on behalf of Covered Entity. Pursuant to such agreement, the agent or subcontractor shall agree to be bound by substantially similar restrictions, terms, and conditions that apply to Business Associate under this Agreement with respect to such PHI.
- Access to Information. Promptly upon request by Covered Entity, Business Associate will make available to Covered Entity PHI in a Designated Record Set as necessary to allow Covered Entity to satisfy its obligations under 45 C.F.R. §164.524 to provide Individuals with access to their PHI. In the event any individual requests access to PHI directly from Business Associate, Business Associate shall promptly forward such request to the Covered Entity.
- Availability of PHI for Amendment. Promptly upon request by Covered Entity, Business Associate will make available to Covered Entity the information required to allow Covered Entity to provide an accounting of disclosures in accordance with 45 C.F.R. §164.528. In the event the request for an accounting is delivered directly to Business Associate, Business Associate shall promptly forward such request to Covered Entity.
- Accounting of Disclosures. Promptly upon request by Covered Entity, Business Associate will make available to Covered Entity the information required to allow Covered Entity to provide an accounting of disclosures in accordance with 45 C.F.R. §164.528. In the event the request for an accounting is delivered directly to Business Associate, Business Associate shall promptly forward such request to Covered Entity.
- Other Obligations. Business Associate shall not use or disclose PHI in a manner that would violate HIPAA if done by Covered Entity. To the extent that Business Associate is responsible for performing Covered Entity’s obligations under the Privacy Rule (45 C.F.R. Part 164, Subpart E), under the Agreement or otherwise, Business Associate shall comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of such obligations.
- Availability of Books and Records. Business Associate agrees to make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary for purposes of determining Covered Entity’s compliance with HIPAA.
- Breach of Contract by Business Associate; Termination. In addition to any other rights Covered Entity may have under the applicable Underlying Agreement(s), this Agreement, or by operation of law or in equity, and notwithstanding any provisions in any such Underlying Agreement(s), Covered Entity may: (i) immediately terminate the Underlying Agreement(s) and this Agreement if Covered Entity is aware of a pattern of activity or practice of the Business Associate in violation of HIPAA or this Agreement or if Covered Entity determines that Business Associate has violated a material term of this Agreement; or (ii) at Covered Entity’s option, permit Business Associate to cure or end any such violation within the time specified by Covered Entity. Covered Entity’s option to permit Business Associate to cure a breach of this Agreement shall not be construed as a waiver of any other rights Covered Entity has in the Underlying Agreement(s), this Agreement or by operation of law or in equity.
- Effect of Termination of Agreement. Upon the termination of the Underlying Agreement(s) or this Agreement for any reason, Business Associate shall, if feasible, return to Covered Entity or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, that Business Associate maintains or stores in any form or medium. Business Associate shall retain no copies of the PHI. In the event that Business Associate reasonably determines that returning or destroying the PHI is not feasible, Business Associate shall notify Covered Entity of the conditions that make return or destruction infeasible, and shall extend the protections of this Agreement and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI.
- No Agency. This Agreement is not intended to create an agency or joint venture arrangement between the parties.
- Changes in the Law. In the event of new or revised legislation, rules and regulations to which Covered Entity or Business Associate are subject now or in the future including, without limitation, HIPAA, the parties agree to negotiate in good faith to amend the Underlying Agreement(s) or this Agreement, as necessary to conform to such new or revised requirements. In the event that the parties are not able to agree to appropriate amendments within thirty (30) days of written notice by a party of a necessary change, either party may terminate the Underlying Agreement(s) or this Agreement.
- Amendment. Any modifications to this Agreement must be made in writing and signed by both parties.
- Assignment. Neither party has the authority to reassign this Agreement without the other’s written consent. Notwithstanding the foregoing, either party may assign this Agreement, in whole or in part, to any entity resulting from the sale, combination or transfer of all or substantially all of the assets or capital stock, or from any other form of corporate reorganization by or of the party, in which case this Agreement shall be binding upon, and inure to the benefit of, the parties hereto, their respective successors and permitted assigns.
- Interpretation. Any ambiguity in this Agreement or the Underlying Agreement shall be resolved to permit the parties to comply with the HIPAA Rules and all other applicable federal, state and local laws, rules and regulations. In the event a provision of this Agreement conflicts with a provision in the Underlying Agreement(s), this Agreement shall control.
- Qualified Service Organization. Business Associate acknowledges that it may be a Qualified Service Organization (“QSO”), as defined by federal regulations on the confidentiality of substance use disorder information, 42 USC §290dd-2 and 42 CFR Part 2 (collectively, “Part 2”). To the extent Business Associate qualifies as a QSO with regard to the services provided to Covered Entity, Business Associate acknowledges and agrees that: in receiving, storing, processing or otherwise dealing with any patient records from Covered Entity that are subject to Part 2, it is fully bound by Part 2; and, if necessary, it will resist in judicial proceedings any efforts to obtain access to patient identifying information related to substance use disorder diagnosis, treatment or referral for treatment except as permitted by Part 2.