GLOBAL RESPONSE SYSTEMS CORPORATION
BUSINESS ASSOCIATE AGREEMENT
WHEREAS, Business Associate provides software and hosting services on its hosting system to Covered Entity (“Services”), pursuant to the Software-as-a-Service Subscription Contract (“Service Agreement”);
WHEREAS, in connection with these Services, Covered Entity discloses to Business Associate certain protected health information (“PHI”) (defined below) that is subject to protection under HIPAA; and
WHEREAS, HIPAA requires that Covered Entity receive adequate assurances that Business Associate will comply with certain obligations with respect to the PHI received in the course of providing Services to or on behalf of Covered Entity.
NOW THEREFORE, in consideration of the mutual promises and covenants herein, and for other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the Parties agree as follows:
A. Acknowledgment of HIPAA Obligations and Other Regulations Implementing HIPAA. The parties acknowledge that federal regulations set forth in the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and the Health Information Technology for Economic and Clinical Health Act of 2009 ("HITECH") relating to the confidentiality, integrity, and accessibility of protected health information (whether created, maintained, accessed, stored or transmitted electronically or otherwise) require covered entities to comply with the privacy and security standards adopted by the U.S. Department of Health and Human Services as they may be amended from time-to-time, 45 C.F.R. parts 160 and 164, subparts A and E ("Privacy Rule") and 45 C.F.R. parts 160 and 164, subparts A and C ("Security Rule"). The Privacy Rule and Security Rule are sometimes collectively referred to herein as the "Privacy and Security Standards".
1. “Business Associate” shall generally have the same meaning as the term “business associate” at 45 C.F.R. § 160.103, and in reference to the party to this BAA, shall mean Global Response Systems Corporation.
2. “Covered Entity” shall generally have the same meaning as the term “covered entity” at 45 C.F.R. § 160.103, and in reference to the party to this BAA, shall mean the party set forth in the introductory paragraph to this BAA.
3. “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 C.F.R. Part 160 and Part 164.
4. The following terms used in this BAA shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Protected Health Information, Required by Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use.
C. Purposes for which Protected Health Information, including Electronic Protected Health Information, May be Used or Disclosed. In connection with the services provided by Business Associate on behalf of Covered Entity pursuant to this BAA, Covered Entity may use, access, and disclose PHI to Business Associate for the purposes of Business Associate providing services to Covered Entity (“Services”), as set forth in the Services Agreement.
D. Specific Responsibilities.
1. The HIPAA Rules generally do not require Business Associate to maintain electronic protected health information (ePHI) beyond the time it provides services to Covered Entity. Covered Entity shall retain responsibility for maintaining the ePHI sent through the Business Associate’s software applications. For the secureFILEHARE application, after 72 hours, Business Associate performs a “delete” action on Covered Entity’s data within the Business Associate’s database, which removes it altogether. For the secureGRS messenger application, Business Associate retains the data during the time period that Covered Entity is a Subscriber to the Services. When Covered Entity cancels its subscription, fails to make payment, or otherwise is no longer a Subscriber to the services, Covered Entity must export/download the ePHI to maintain in its own patient files. Covered Entity will be given a reasonable time to do so, not to exceed two (2) weeks (“Allowed Export Period”), after which time Business Associate performs a “delete” action on Covered Entity’s data, which removes it altogether.
2. Covered Entity is responsible for obtaining all authorizations from Individuals as patients for use of the Business Associate’s software applications to transmit ePHI thereon. Business Associate is not responsible for obtaining authorization directly from the Individuals, as Business Associate’s software merely transmits the information between covered entities or between the covered entity and persons authorized by the patient. It is Covered Entity’s responsibility alone to ensure correct entry of data (such as e-mail addresses and correct files for transfer) in the Business Associate’s software application, and Business Associate has no control over the decision as to whom the information will be sent or what information will be delivered.
3. As set forth in more detail below in section F.7., Business Associate will notify Covered Entity of a Security Incident. Covered Entity agrees to handle all related further notifications necessary under the HIPAA rules to be sent to Individuals.
E. Obligations of Covered Entity. Covered Entity shall:
1. notify Business Associate of any limitations in the Notice of Privacy Practices of Covered Entity in accordance with 45 C.F.R. 164.520, to the extent such limitation may affect Business Associate’s use or disclosure of PHI;
2. provide Business Associate with any changes in, or revocation of, authorizations by Individuals relating to the use and/or disclosure of PHI, if such changes affect Business Associate’s permitted or required uses and/or disclosures;
3. notify Business Associate of any restriction to the use and/or disclosure of PHI to which Covered Entity has agreed in accordance with 45 C.F.R. 164.522;
4. notify Business Associate of any amendment to PHI to which Covered Entity has agreed that affects a Designated Record Set maintained by Business Associate; and
5. if Business Associate maintains a Designated Record Set, provide Business Associate with a copy of its policies and procedures related to an Individual’s right to: access PHI; request an amendment to PHI; request confidential communications of PHI; or request an accounting of disclosures of PHI.
F. Obligations of Business Associate. Business Associate agrees to comply with applicable federal and state confidentiality and security laws, including the following:
1. Use and Disclosure of PHI.
a. Business Associate may only use or disclose PHI as necessary to perform the services set forth in the Services Agreement in providing Services to or on behalf of Covered Entity.
b. Business Associate may use and disclose PHI as required by law.
c. Business Associate agrees to make uses and disclosure and requests for PHI consistent with Covered Entity’s Minimum Necessary policies and procedures, i.e., only PHI that is the minimum necessary to accomplish the intended purpose of the use, disclosure, or request may be disclosed.
d. Business Associate may not use or disclose PHI in a manner that would violate Subpart E of 45 C.F.R. Part 164 if done by Covered Entity, except that Business Associate may use PHI for the proper management and administration of the Business Associate or to carry out its legal responsibilities and its responsibilities under this BAA.
2. Withdrawal of Consent or Authorization. If the use or disclosure of PHI in this BAA is based upon an Individual's specific consent or authorization for the use of his or her PHI, and the Individual revokes such consent or authorization in writing, or the effective date of such authorization has expired, or the consent or authorization is found to be defective in any manner that renders it invalid, the Business Associate agrees, if it has notice of such revocation or invalidity, to cease the use and disclosure of any such Individual's PHI except to the extent it has relied on such use or disclosure, or where an exception under the Privacy and Security Standards expressly applies.
3. Safeguards. Business Associate will implement and maintain administrative, physical, and technical safeguards with respect to electronic PHI, to prevent use or disclosure of PHI other than as provided for by this BAA, in accordance with Subpart C of 45 C.F.R. Part 164 that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI and ensure that such PHI is not received, used, accessed, stored, transmitted, or disclosed other than as provided by this BAA or as required by law.
4. Records Management. Upon termination of this BAA or the Services Agreement for any reason, Business Associate agrees to return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, that Business Associate maintains in any form and shall comply with federal and state laws as they may be amended from time-to-time governing the maintenance or retention of PHI. If the return or destruction of PHI is not feasible, Business Associate shall inform Covered Entity of the reason thereof, and Business Associate agrees to extend the protections of this BAA to such PHI and limit further uses and disclosures of the PHI to those purposes that make the return or destruction of the information infeasible for so long as Business Associate retains the PHI.
5. Individual Rights Regarding Designated Record Sets. If Business Associate maintains a Designated Record Set on behalf of Covered Entity, Business Associate will make available PHI in a designated record set to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.524. Business Associate agrees that it will accommodate an Individual's right to have access to and amend PHI about the Individual in a Designated Record Set in accordance with the Privacy and Security Standards set forth at 45 C.F.R. § 164.526 as it may be amended from time-to-time, unless the regulation provides for a denial or exception that applies.
6. Accounting of Disclosures. Business Associate agrees to maintain documentation of and make available to the Covered Entity from whom the PHI originated, information required for an accounting of disclosures of PHI with respect to the Individual, in accordance with 45 C.F.R. §164.528 as it may be amended from time-to-time, and incorporating exceptions to such accounting designated under the regulation. Such accounting shall be provided as long as the Business Associate maintains the PHI.
7. Security Incident. The Business Associate agrees to immediately report to Covered Entity any use or disclosure of PHI not provided for by this BAA of which it becomes aware, including breaches of unsecured PHI as required at 45 C.F.R. § 164.410, and any Security Incident of which the Business Associate becomes aware.
8. Subcontractors. In accordance with 45 C.F.R. § 164.502(e)(1)(ii) and § 164.308(b)(2), if applicable, Business Associate agrees to ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information.
9. To the extent the Business Associate is to carry out one or more of Covered Entity’s obligations under Subpart E of 45 C.F.R. Part 164, Business Associate agrees to comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligations.
G. Internal Practices, Books, and Records. The Business Associate shall make available its internal practices, policies, procedures, books, and records relating to the use and disclosure of PHI received from Covered Entity, created or received by the Business Associate on behalf of Covered Entity, to the Secretary for the purpose of determining Covered Entity's compliance with HIPAA Rules. Records requested that are not protected by an applicable legal privilege will be made available in the time and manner specified by the Secretary.
H. Rights of Proprietary Information. Covered Entity retains any and all rights to the proprietary information, confidential information, and PHI it releases to Business Associate.
I. Termination Upon Breach of Provisions. Notwithstanding any other provision of this BAA, Covered Entity may immediately terminate this BAA if it determines that Business Associate breaches any term in this BAA. Alternatively, Covered Entity may give written notice to Business Associate in the event of a breach and give Business Associate five (5) business days to cure such breach. Covered Entity shall also have the option to immediately stop all further disclosures of PHI to Business Associate if Covered Entity reasonably determines that Business Associate has breached its obligations under this BAA. In the event that termination of this BAA and the underlying Agreement is not feasible, Business Associate hereby acknowledges that the Covered Entity shall be required to report the breach to the Secretary of the U.S. Department of Health and Human Services, notwithstanding any other provision of this BAA or the Services Agreement to the contrary.
J. Return or Destruction of Protected Health Information upon Termination. Upon the termination of this BAA, unless otherwise directed by Covered Entity, Business Associate shall either return or destroy all PHI received from the Covered Entity or created or received by Business Associate on behalf of the Covered Entity which Business Associate maintains in any form. Business Associate shall not retain any copies of such PHI. Notwithstanding the foregoing, in the event that Business Associate determines that returning or destroying the PHI is not feasible upon termination of this BAA, Business Associate shall provide to Covered Entity notification of the condition that makes return or destruction not feasible. To the extent that it is not feasible for Business Associate to return or destroy such PHI, the terms and provisions of this BAA shall survive such termination or expiration and such PHI shall be used or disclosed solely as permitted by law for so long as Business Associate maintains such PHI.
K. Survival of Key Provisions. The provisions of this BAA and the respective rights and obligations of the Business Associate under this BAA shall survive the termination of this BAA and the Services Agreement.
L. Amendments. Covered Entity and Business Associate agree to enter into good faith negotiations to amend this BAA to come into compliance with changes in state and federal laws and regulations relating to the privacy, security and confidentiality of PHI. Covered Entity may terminate this BAA upon thirty (30) days written notice in the event that Business Associate does not promptly enter into an amendment that Covered Entity, in its sole discretion, deems sufficient to ensure that Covered Entity will be able to comply with such laws and regulations.
M. Regulatory References. A citation in this BAA to the Code of Federal Regulations (C.F.R.) shall mean the cited section as that section may be amended from time to time.
N. Relationship with Covered Entity. Unless otherwise set forth in a separate agreement between Covered Entity and Business Associate, Business Associate's relationship with Covered Entity will be that of an independent contractor and Business Associate is not the agent of Covered Entity and is not authorized to make any representations, contract, or commitment on behalf of Covered Entity unless specifically requested to do so, by Covered Entity, in writing. Nothing in this BAA should be construed to create a partnership, joint venture, or employer-employee relationship between the parties.
O. No Third Party Beneficiaries. The parties agree that the terms of this BAA shall apply only to themselves and are not for the benefit of any third party beneficiaries.
P. Interpretation. Any ambiguity in this BAA shall be resolved in favor of a meaning that permits Covered Entity to comply with HIPAA and any applicable federal or state confidentiality or security laws. The provisions of this BAA shall prevail over the provisions of any other agreement that exists between the Parties that may conflict with, or appear inconsistent with, any provision of this Agreement or HIPAA.
Q. Term. This BAA shall be effective as of the Effective Date and shall be terminated when all PHI provided to Business Associate by Covered Entity, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity.
1. Amendments. Covered Entity may amend this BAA from time to time as necessary, to comply with changes in applicable laws or regulations, including without limitation to HIPAA, by providing thirty (30) days’ written notice to Business Associate.
2. Choice of Law. This BAA and the rights and the obligations of the Parties hereunder shall be governed by and construed under the laws of the State of Wyoming, without regard to applicable conflict of laws principles.
3. Assignment of Rights and Delegation of Duties. This BAA is binding upon and inures to the benefit of the Parties hereto and their respective successors and permitted assigns. However, neither Party may assign any of its rights or delegate any of its obligations under this BAA without the prior written consent of the other Party, which consent shall not be unreasonably withheld or delayed. Notwithstanding any provisions to the contrary, however, Covered Entity retains the right to assign or delegate any of its rights or obligations hereunder to any of its wholly owned subsidiaries, affiliates or successor companies. Assignments made in violation of this provision are null and void.
4. Nature of BAA. Nothing in this BAA shall be construed to create (i) a partnership, joint
venture or other joint business relationship between the Parties or any of their affiliates,
(ii) any fiduciary duty owed by one Party to another Party or any of its affiliates, or (iii) a relationship of employer and employee between the Parties.
5. No Waiver. Failure or delay on the part of either Party to exercise any right, power, privilege or remedy hereunder shall not constitute a waiver thereof. No provision of this BAA may be waived by either Party except by a writing signed by an authorized representative of the Party making the waiver.
6. Severability. The provisions of this BAA shall be severable, and if any provision of this BAA shall be held or declared to be illegal, invalid or unenforceable, the remainder of this BAA shall continue in full force and effect as though such illegal, invalid or unenforceable provision had not been contained herein.
7. No Third Party Beneficiaries. Nothing in this BAA shall be considered or construed as conferring any right or benefit on a person not party to this BAA nor imposing any obligations on either Party hereto to persons not a party to this BAA.
8. Headings. The descriptive headings of the articles, sections, subsections, exhibits and schedules of this BAA are inserted for convenience only, do not constitute a part of this BAA and shall not affect in any way the meaning or interpretation of this BAA.
9. Entire Agreement. This BAA, together with all Exhibits, Riders and amendments, if applicable, which are fully completed and signed by authorized persons on behalf of both Parties from time to time while this BAA is in effect, constitutes the entire BAA between the Parties hereto with respect to the subject matter hereof and supersedes all previous written or oral understandings, agreements, negotiations, commitments, and any other writing and communication by or between the Parties with respect to the subject matter hereof. In the event of any inconsistencies between any provisions of this BAA in any provisions of the Exhibits, Riders, or amendments, the provisions of this BAA shall control.