BUSINESS ASSOCIATE AGREEMENT
Please read this Business Associate Agreement (“BAA”) carefully, as it forms a contract between CentralReach, LLC a Florida limited liability company (“CentralReach”), and the customer agreeing to these terms (“Customer,” “you” or “your”), and covers all services provided by CentralReach to Customer in accordance with Customer’s Order (“Services”) as part of the Service Agreement as described by the Terms of Service.
CentralReach and Customer are sometimes referred to in this BAA individually as a “Party” and collectively as the “Parties.” This BAA will remain effective for any agreement between the Parties until terminated in accordance with the terms of this BAA.
Customer is a Covered Entity or a Business Associate. Customer possesses Protected Health Information that is protected under HIPAA. Customer is permitted to Use or Disclose such Protected Health Information only in accordance with HIPAA and HITECH (and the applicable business associate agreement if Customer is a Business Associate). The services provided to Customer require CentralReach to host Customer Data that may contain Protected Health Information. HITECH imposes certain requirements on Business Associates. To the extent CentralReach creates, receives, maintains, or transmits Protected Health Information on behalf of Customer, CentralReach is a Business Associate of Customer. Accordingly, HIPAA requires CentralReach and Customer to comply with certain obligations under the Privacy Rule, Breach Notification Rule, and Security Rule that relate to the Use, access, and Disclosure of Protected Health Information.
The terms and conditions in this BAA are intended to supersede any conflicting terms and conditions in the Agreements.
In consideration of the foregoing and of the mutual representations, warranties, covenants and agreements contained herein, the mutuality, receipt and sufficiency of which are hereby acknowledged, the Parties hereby agree as follows:
- Definitions. Except as otherwise defined in this BAA, all capitalized terms used in this BAA shall have the meanings set forth in HIPAA and in the Service Agreement.
- “Breach Notification Rule” means the Breach Notification for Unsecured Protected Health Information Final Rule (45 C.F.R. part 164, subpart D).
- “Business Associate” shall generally have the same meaning as the term “business associate” at 45 CFR 160.103.
- “Covered Entity” shall generally have the same meaning as the term “covered entity” at 45 CFR 160.103.
- “Customer Data” means data submitted by Users into the Services (each as defined in the Terms of Service that comprises part of the Agreement).
- “Enforcement Rule” means the HIPAA enforcement standards (45 CFR part 160, subparts C, D, and E).
- “HHS” means the United States Department of Health and Human Services.
- “HIPAA” collectively means the administrative simplification provision of the Health Insurance Portability and Accountability Act (Public Law 104-191) enacted by the United States Congress, and the regulations and guidance promulgated thereunder by HHS, including the HIPAA Rules, as amended from time to time, including, without limitation, by HITECH and by the Modifications to the HIPAA Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule.
- “HITECH” means the Health Information Technology for Economic and Clinical Health Act and the regulations and guidance promulgated thereunder by HHS. HITECH was adopted as part of the American Recovery and Reinvestment Act of 2009.
- “HIPAA Rules” means the Privacy Rules, Security Rules, Breach Notification Rules, and Enforcement Rules, 45 CFR Part 160 and Part 164.
- “Privacy Rule” means the Standards for Privacy of Individually Identifiable Health Information (45 C.F.R. parts 160 and 164, subparts A and E).
- “Security Rule” means the Security Standards for the Protection of Electronic Protected Health Information (45 C.F.R. parts 160, 162 and 164, subparts A and C).
- Obligations and Activities of CentralReach. The Parties agree that, to the extent CentralReach creates, receives, maintains, or transmits Protected Health Information on behalf of Customer, CentralReach is a Business Associate of Customer as contemplated by HIPAA and HITECH. To the extent that CentralReach is acting as a Business Associate, CentralReach agrees to the following:
- HIPAA Compliance. CentralReach agrees to comply with the requirements of HIPAA and HITECH that are applicable to CentralReach.
- Limitations on Use and Disclosure. CentralReach agrees to not Use or Disclose Protected Health Information other than as permitted or required by this BAA and the Agreements, or as otherwise Required by Law, provided that any such Use or Disclosure would not violate HIPAA if done by Customer, unless expressly permitted for Business Associates under HIPAA. CentralReach shall make reasonable efforts to Use, Disclose, and/or request the minimum necessary Protected Health Information to accomplish the intended purpose of such Use, Disclosure, or request.
- Safeguards. To maintain electronic data security and prevent the inappropriate Use or Disclosure of the Protected Health Information other than as provided for by this BAA and the Agreements, or as Required by Law, CentralReach agrees to (i) implement appropriate safeguards, and (ii) comply with the applicable requirements of 45 CFR Part 164 Subpart C of the Security Rule. CentralReach agrees to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic Protected Health Information that it creates, receives, maintains, or transmits to or on behalf of Customer to the extent required by HIPAA and HITECH.
- Reporting. CentralReach agrees to report to Customer (i) any Use or Disclosure of the Protected Health Information of which it becomes aware that is not permitted or required by this BAA and the Agreements, or otherwise Required by Law, (2) any Security Incident of which it becomes aware, provided that notice is hereby deemed given for unsuccessful Security Incidents and no further notice of such Unsuccessful Security Incidents shall be given; and (3) any Breach of Customer’s Unsecured Protected Health Information that CentralReach may discover (in accordance with 45 CFR §164.410 of the Breach Notification Rule). CentralReach agrees to deliver each such notification of a Breach to Customer without unreasonable delay, but in no event more than 30 calendar days after discovery of a Breach. Taking into account the level of risk reasonably likely to be presented by the Use, Disclosure, Security Incident, or Breach, the timing of other reporting will be made consistent with CentralReach’s and Customer’s legal obligations.
- Subcontractors. In accordance with 45 CFR §164.502(e)(1)(ii) and 45 CFR §164.308(b) (2) of HIPAA, CentralReach agrees to require that any Subcontractors who create, receive, maintain, or transmit the Protected Health Information on behalf of CentralReach agree in writing to (i) the same or similar restrictions, conditions and requirements that apply through this BAA to CentralReach with respect to the Protected Health Information.
- Designated Record Sets. If CentralReach maintains Protected Health Information in a Designated Record Set for Customer, CentralReach, at the request of Customer, agrees as follows:
- CentralReach will make such Protected Health Information in the Designated Record Set available to Customer in accordance with 45 CFR §164.524 of the Privacy Rule.
- CentralReach will make such Protected Health Information in the Designated Record Set available to Customer for amendment and will incorporate any reasonably requested amendment in such Protected Health Information in accordance with 45 CFR §164.524 of the Privacy Rule.
- If CentralReach receives from a patient a request for access to or amendment of Protected Health Information in the Designated Record Set, CentralReach will submit such request to Customer for Customer’s response as soon as reasonably practical. Customer acknowledges that the information it submits to the HIE Service (as defined in the Service Agreement) does not constitute the Customer’s Designated Record Set (as defined in 45 CFR §164.501), and that all information contained within the HIE Service shall not constitute nor be construed to include a Designated Record Set. Customer further acknowledges that Customer’s Designated Record Set shall be comprised only of information maintained by Customer outside of the HIE Service. Because the HIE Service does not contain a Designated Record Set, patients shall have no rights to: (i) access the HIE Information (as required of a Designated Record Set in 45 CFR §164.524), or (ii) request amendment of HIE Information (as required of a Designated Record in 45 CFR §164.526).
- Disclosure to Secretary. CentralReach agrees, at the Customer’s reasonable expense, to make its internal practices, books, and records relating to the use and disclosure of Protected Health Information that is subject to this BAA, available to the Secretary of HHS, at a time and in a manner reasonably designated by the Secretary, for purposes of the Secretary determining Customer’s compliance with the HIPAA Rules, subject to attorney-client and other applicable legal privileges.
- Accounting of Disclosure. CentralReach shall maintain and, at the request of Customer, shall make available to Customer such information relating to Disclosures made by CentralReach as are required for Customer to make any requested accounting of Disclosures in accordance with 45 CFR §164.528 of the Privacy Rule. If CentralReach receives from a patient a request for an accounting of disclosures of information, CentralReach will submit such request to Customer for Customer’s response as soon as reasonably practical. Unless otherwise Required by Law, no patient shall have a right to an accounting of disclosures of HIE Information (as defined in the Service Agreement) maintained within the HIE Service because all such disclosures shall be for Treatment purposes only.
- Performance of a Covered Entity’s Obligations. To the extent CentralReach is to carry out a Covered Entity obligation under Subpart E of the 45 CFR Part 164, CentralReach agrees to comply with the requirements of Subpart E that apply to Customer in the performance of that obligation.
- Obligations and Activities of Customer.
- No Impermissible Requests. Except as provided in Section 4(b), Customer shall not request CentralReach to Use or Disclose Protected Health Information in any manner that would not be permissible under HIPAA if done by a Covered Entity (unless permitted by HIPAA for a Business Associate).
- Contact Information for Notices. Customer hereby agrees that any reports, notification, or other notice by CentralReach pursuant to this BAA may be made electronically or as otherwise contemplated by the Service Agreement. Customer shall provide contact information to firstname.lastname@example.org or as otherwise contemplated by the Service Agreement and shall ensure that Customer’s contact information remains up to date during the term of this BAA. Contact information must include name of individual(s) to be contacted, title of individuals(s) to be contacted, e-mail address of individual(s) to be contacted, name of Customer organization, and, if available, either contract number or subscriber identification number.
- Safeguards and Appropriate Use of Protected Health Information. Customer is responsible for implementing appropriate administrative, technical and physical safeguards to protect its Protected Health Information in compliance with HIPAA. Without limitation, it is Customer’s obligation to:
- Not include Protected Health Information in (1) information Customer submits to technical support personnel or to community support forums; and (2) Customer’s address book or directory information. In addition, CentralReach does not act as, or have the obligations of, a Business Associate under HIPAA with respect to Customer Data once it is sent to or from Customer outside the Services (as defined in the Agreement) over the public Internet.
- Implement privacy and security safeguards in the systems, applications, and software Customer controls, configures, and uses to upload Customer Data into the Services.
- Permitted Uses and Disclosures by CentralReach.
- Performance of Agreements. Except as otherwise expressly limited in this BAA, CentralReach may Use or Disclose Protected Health Information to perform functions, activities or services for, or on behalf of, Customer as specified in the Agreements, provided that such Use or Disclosure would not violate HIPAA or HITECH if done by Customer, unless expressly permitted for Business Associates under HIPAA and HITECH.
- Management, Administration, and Legal Responsibilities. Except as otherwise expressly limited in this BAA, CentralReach may Use and Disclose Protected Health Information for the proper management and administration of CentralReach and to carry out the legal responsibilities of CentralReach, provided that any Disclosure may occur only if (i) Required By Law, or (ii) (a) CentralReach obtains reasonable written assurances from the person to whom the Protected Health Information is disclosed that it will remain confidential and Used or further Disclosed only as Required By Law or for the purpose for which it was Disclosed to the person, and (b) the person notifies CentralReach of any instances of which the person is aware in which the confidentiality of the Protected Health Information has been breached.
- Data Aggregation Services. Except as otherwise expressly limited in this BAA, CentralReach may use Protected Health Information to provide Data Aggregation services to Customer as permitted by §164.504(e)(2)(i)(B) of the Regulations.
- Legal Violations. CentralReach may use Protected Health Information to report violations of law to appropriate Federal and State authorities, consistent with §164.502(j) (1) of the Regulations.
- Term and Termination.
- Term. This BAA shall continue in effect until the earlier to occur of (1) the expiration or termination of all of the Agreements (or the applicable provisions thereof) that cause CentralReach to be a Business Associate of Customer, or (2) the date on which either Party terminates this BAA for cause in accordance with Section 5(b).
- Termination for Cause. If either Party is in material breach or default of any obligation under this BAA, the other Party may, subject to CentralReach’s duty to return or destroy the Protected Health Information as set forth in Section 5(d) below:
- (i) Provide a reasonable opportunity for the breaching Party to cure the material breach or default and, if the breaching Party does not cure the material breach or default within a reasonable time, terminate this BAA and all of the Agreements (or the applicable provisions thereof) that cause CentralReach to be a Business Associate of Customer; or (ii) If cure is not possible, immediately terminate this BAA and all of the Agreements (or the applicable provisions thereof) that cause CentralReach to be a Business Associate of Customer.
- Effect of Termination of Agreements. In the event of the termination or expiration of all the Agreements (or the applicable provisions thereof) that cause CentralReach to be a Business Associate of Customer, this BAA shall automatically terminate, subject to CentralReach’s duty to return or destroy the Protected Health Information as set forth in Section 5(d) below.
- Return, Destruction, or Retention of Protected Health Information Upon Termination. Upon expiration or termination of all the Agreements (or the applicable provisions thereof) that cause CentralReach to be a Business Associate of Customer, if it is feasible to do so, CentralReach shall return or destroy all Protected Health Information in its possession in accordance with the applicable termination provisions of each of the Agreements and this BAA. If CentralReach determines that it is not feasible to return or destroy any Protected Health Information upon such expiration or termination of all of the Agreements (or the applicable provisions thereof) that cause CentralReach to be a Business Associate of Customer, then, for the duration of the retention of such Protected Health Information, this BAA shall remain in full force and effect solely with respect to such retained Protected Health Information and CentralReach shall limit any further Use or Disclosure of the retained Protected Health Information to those purposes that make the return or destruction infeasible.
- Limitation of Liability. EXCEPT AS NOTED BELOW IN THE THIRD SENTENCE OF THIS SECTION 6, IN NO EVENT SHALL CENTRALREACH, OR ANY OF ITS AFFILIATES, SUBCONTRACTORS, LICENSORS, OR ANY OTHER PERSON OR ENTITY WITH WHOM CENTRALREACH MAY BE CLAIMED TO BE JOINTLY LIABLE (FOR SUCH PURPOSES, COLLECTIVELY, THE “CENTRALREACH PARTIES”) BE LIABLE FOR ANY LOSS OF PROFITS, DATA OR GOODWILL OR FOR ANY INDIRECT, CONSEQUENTIAL, INCIDENTAL, PUNITIVE, EXEMPLARY OR SPECIAL LOSSES OR DAMAGES, OR EXPENSES (INCLUDING WITHOUT LIMITATION ATTORNEYS’ FEES) THAT CUSTOMER MAY INCUR OR SUFFER, WHETHER OR NOT THE POSSIBILITY OF SUCH DAMAGE WAS KNOWN, FORESEEABLE OR CONTEMPLATED BY CENTRALREACH OR CUSTOMER. IN NO EVENT SHALL CENTRALREACH OR ANY OF THE OTHER CENTRALREACH PARTIES BE LIABLE TO CUSTOMER FOR ANY CLAIM OR CAUSE OF ACTION, WHETHER BASED ON CONTRACT, TORT, STRICT LIABILITY OR ANY OTHER LEGAL THEORY, FOR AN AMOUNT IN EXCESS OF THE FEES (AS DEFINED IN THE AGREEMENTS) PAID TO CENTRALREACH BY CUSTOMER PURSUANT TO THE SERVICE AGREEMENT FOR THE SIX (6) MONTH PERIOD IMMEDIATELY PRECEDING THE DATE OF THE ACCRUAL OF THE CLAIM (THE “LIABILITY LIMIT”). The Parties agree that only reasonable breach mitigation costs and expenses incurred by Customer and caused primarily by CentralReach’s material breach of this BAA shall be considered direct damages (not indirect or consequential) and CentralReach’s liability for such costs and expenses shall be subject to the Liability Limit. The terms of this Section 6 allocate the risks under this BAA. CentralReach’s pricing under the Agreements reelects, in part, this allocation of risk and the agreed upon limitation of liability.
- Applicability of Amendment. As of the effective date of this BAA, this BAA is applicable to the Agreements, whether current or future, between the Parties without additional action by the Parties.
- Changes to HIPAA. If either of the Parties determines in good faith that any regulations and interpretative guidance adopted or amended with respect to HIPAA or HITECH after the execution of this BAA is required by law to be implemented and made a part hereof, this BAA shall be renegotiated in good faith so as to amend all applicable provisions in a manner that would eliminate any substantial risk of noncompliance.
- Survival. The respective rights and obligations of the Parties shall survive the termination of this BAA.
- Interpretation. Any ambiguity in this BAA shall be resolved to permit compliance with HIPAA. This BAA is an addendum to the Agreements; provided, however, that under no circumstances shall the terms of the Agreements modify the terms of this BAA. In the event of any conflict or other inconsistency between the terms of this BAA and the terms of the Agreements, the terms of this BAA shall govern. The section headings contained in this BAA are for reference purposes only and should not affect in any way the meaning or interpretation of this BAA.
- Amendments; Waiver. Except as expressly set forth in this BAA, a provision of this BAA may be altered only by a writing signed by both Parties. The waiver of a breach hereunder may be effected only by a writing signed by the waiving Party and shall not constitute a waiver of any other breach.
- No Third-Party Beneficiaries. Nothing express or implied in this BAA is intended to confer, nor shall anything in this BAA confer, upon any person other than the Parties, and the respective successors or assigns of the Parties, any rights, remedies, obligations, or liabilities whatsoever.
- Counterparts. This BAA may be executed in counterparts, each of which shall be deemed an, original and all of which together shall constitute one and the same instrument.
- Severability. If for any reason a court of competent jurisdiction finds any provision of this BAA invalid or unenforceable, that provision of this BAA shall be enforced to the maximum extent permissible and the other provisions of this BAA shall remain in full force and effect.
- Service Agreement. This BAA is part of the Service Agreement as described in the CentralReach Terms of Service located at https://centralreach.com/terms-of-service/.