HIPAA Business Associate Agreement
This Business Associate Agreement (“Agreement”) is entered into between Magnet Marketing LLC d/b/a ReviewThread (“ReviewThread” or “Business Associate”) and any ReviewThread customer that is a Covered Entity (as defined below) to permit Business Associate create, receive, maintain, and transmit Protected Health Information (“PHI”) (including Electronic Protected Health Information (“e-PHI”)) for or on behalf of Covered Entity, so that Business Associate may render certain specified services (“Service”) to Covered Entity under the ReviewThread Terms of Service (“Terms”). This Agreement shall be considered part of the Terms between Business Associate and Covered Entity.
I. Definitions
The following terms used in this Agreement shall have the same meaning as those terms in final regulations implementing the Health Insurance Portability and Accountability Act (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act (“HITECH”) at 45 CFR parts 160, 162, and 164, as amended from time to time: Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Protected Health Information (“PHI”), Required by Law, Secretary, Security Incident, Subcontractor, Unsecured PHI, and Use.
A. Business Associate—“Business Associate” shall generally have the same meaning as the term “Business Associate” at 45 CFR 160.103, and in reference to the party to this agreement, shall mean ReviewThread.
B. Covered Entity—“Covered Entity” shall generally have the same meaning as the term “Covered Entity” at 45 CFR 160.103, and in reference to the party to this agreement, shall mean any ReviewThread customer that is a Covered Entity.
C. HIPAA Rules—“HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.
II. Obligations and Activities of Business Associate
Business Associate agrees to:
A. Not use or disclose PHI other than as permitted or required by the Agreement or as Required by Law;
B. Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to ePHI, to prevent Use or Disclosure of PHI other than as provided for by the Agreement;
C. Report to Covered Entity, within a reasonable timeframe, any Use or Disclosure of PHI not provided for by the Agreement of which it becomes aware, including breaches of unsecured PHI as required at 45 CFR 164.410, and any Security Incident of which it becomes aware;
D. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any Subcontractors that create, receive, maintain, or transmit PHI on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information;
E. Upon written request from the Covered Entity, Business Associate agrees to provide, within a reasonable timeframe, all PHI identified by Covered Entity as part of a Designated Record Set as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.524;
F. Upon written request from Covered Entity, Business Associate agrees to incorporate any amendment(s) to PHI in a Designated Record Set as directed or agreed to by the Covered Entity – 2 – 138271571.1 pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.526;
G. Maintain and make available, within a reasonable timeframe, the information required to provide an accounting of Disclosures to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.528, except Business Associate shall not be obligated to respond to an Individual’s request for an accounting of Disclosures of PHI made directly to Business Associate;
H. To the extent the Business Associate is to carry out one or more of Covered Entity’s obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s); and
I. Make its internal practices, books, and records available to the Secretary for purposes of determining Covered Entity’s compliance with the HIPAA Rules.
III. Permitted Uses and Disclosures by Business Associate
A. Business Associate may only use or disclose PHI as necessary to perform the services set forth in the Terms.
B. Business Associate may use or disclose PHI as Required by Law.
C. Business Associate agrees to make uses and Disclosures and requests for PHI consistent with Covered Entity’s Minimum Necessary policies and procedures.
D. Business Associate may not use or disclose PHI in a manner that would violate the HIPAA Rules if done by Covered Entity.
E. Business Associate may use PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate.
F. Business Associate may disclose PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of the Business Associate, provided the disclosures are Required by Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and used or further disclosed only as Required by Law or for the purposes for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
IV. Provisions for Covered Entity to Inform Business Associate of Privacy Practices and Restrictions
A. Covered Entity shall notify Business Associate of any limitation(s) in the Covered Entity’s Notice of Privacy Practices under 45 CFR 164.520, to the extent that such limitation may affect Business Associate’s Use or Disclosure of PHI.
B. Covered Entity shall notify Business Associate of any changes in, or revocation of, the permission by an Individual to Use or Disclose his or her PHI, to the extent that such changes may affect Business Associate’s Use or Disclosure of PHI.
C. Covered Entity shall notify Business Associate of any restriction on the Use or Disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 CFR 164.522, to the extent that such restriction may affect Business Associate’s Use or Disclosure of PHI.
V. Permissible Requests by Covered Entity
Except as provided in Section III of this Agreement, Covered Entity shall not request Business Associate to use or disclose PHI in a manner that would not be permissible under the HIPAA Rules if made by Covered Entity.
VI. Term and Termination
Term: The Term of this Agreement shall be effective as of the first day that Covered Entity provides PHI to Business Associate and shall terminate when all of the PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or if it is infeasible to return or destroy PHI, protections are extended to such PHI in accordance with the termination provisions in this Section.
Termination or Cause: Business Associate authorizes termination of this Agreement by Covered Entity, if Covered Entity determines Business Associate has violated a material term of the Agreement and Business Associate has not cured the Breach or ended the violation within the time specified by Covered Entity, or Business Associate has breached a material term of this Agreement and a cure is not possible.
Obligations of Business Associate Upon Termination: Upon termination of this Agreement for any reason, Business Associate shall return to Covered Entity or, if agreed to by Covered Entity, destroy all PHI received from Covered Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity, that the Business Associate still maintains in any form. Business Associate shall retain no copies of the PHI. If Business Associate determines that returning or destroying the PHI is infeasible, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction infeasible and extend the protections of this Agreement to such PHI and limit further uses and Disclosures of such PHI to those purposes that make return or destruction infeasible, for so long as Business Associate retains such PHI.
Survival: The obligations of Business Associate under this Section shall survive the termination of this Agreement.
VII. Miscellaneous
A. Regulatory References. A reference in this Agreement to a section in the HIPAA Rules means the section as in effect or as amended.
B. Amendment. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for compliance with the requirements of the HIPAA Rules and any other applicable law.
C. Interpretation. Any ambiguity in this Agreement shall be interpreted to permit compliance with the HIPAA Rules.