BUSINESS ASSOCIATE AGREEMENT

 

This BUSINESS ASSOCIATE AGREEMENT (this "BAA"), by and between EASYRX LLC, a Georgia limited liability company ("Covered Entity") and your Business ("Business Associate") is entered into and made effective as of the date the authorized agent of Business Associate clicks the "Accept" button below (the "Effective Date").

 

BY CLICKING THE "ACCEPT" BUTTON, BUSINESS ASSOCIATE ACKNOWLEDGES AND AGREES THAT IT HAS READ ALL OF THE TERMS AND CONDITIONS OF THIS AGREEMENT AND AGREES TO BE BOUND BY ALL TERMS AND CONDITIONS.

 

The person clicking the ACCEPT button hereby represents to EasyRx, LLC that he or she is at least 18 years old and is competent and fully authorized to enter into this binding agreement on behalf of the Business Associate.

 

BACKGROUND

 

WHEREAS, Covered Entity and Business Associate are parties to an agreement or various agreements whereby Business Associate provides certain services to Covered Entity (
"Agreement").

 

WHEREAS, Business Associate's performance of the Agreement may require Business Associate to create, receive, maintain, or transmit Protected Health Information or financial accounts that are subject to the federal law and regulations with respect to privacy, security, and breach notification under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), including all pertinent regulations issued by the agencies of the United States Department of Health and Human Services (45 C.F.R. Parts 160 and 164), as amended by Subtitle D of the Health Information Technology for Economic and Clinical Health Act (HITECH Act), Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009 (Pub. L. 111-5) (collectively referred to hereinafter as the "HIPAA Standards"); and


WHEREAS,
the parties are committed to complying with the HIPAA Standards;

 

NOW, THEREFORE, in consideration of the mutual promises and obligations set forth herein, and other good and valuable consideration, the receipt and sufficiency of which the parties acknowledge the parties hereby agree as follows:

 


1.                  General. This BAA sets forth the terms and conditions under which Protected Health Information or Electronic Protected Health Information that Business Associate creates, receives, maintains, or transmits on behalf of the Covered Entity will be handled between the Business Associate and the Covered Entity, as well as with third parties during the term of the Agreement and following its termination. In the event of an inconsistency between the terms of the Agreement and the terms of this BAA, the terms of this BAA shall control in regard to the handling of Protected Health Information or Electronic Protected Health Information.

 

2.                  Definitions. When used in this BAA, the following terms have the following meanings:

 


(a)                "Protected Health Information" or "PHI" has the same meaning as the term "protected health information" in 45 C.F.R. § 160.103, limited to the information created, received, maintained, or transmitted on behalf of Covered Entity.

 

(b)               "Electronic Protected Health Information" has the same meaning as the term "electronic protected health information" in 45 C.F.R. § 160.103, limited to the information created, received, maintained, or transmitted on behalf of Covered Entity.

 

(c)                "Unsecured Protected Health Information" or "Unsecured PHI" means Protected Health Information that is not secured through the use of a technology or methodology specified by the Secretary in guidance or as otherwise defined in Section 13402(h) of the HITECH Act.

 

(d)               "Privacy Rule" means the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. part 160, part 162 and part 164, subparts A and E.

 

(e)                "Security Rule" means the Security Standards for the Protection of Electronic Protected Health Information at 45 C.F.R. part 160 and part 164, subpart C.

 

(f)                 "Secretary" means the Secretary of the Department of Health and Human Services or his/her designee.

 

(g)                Terms used, but not otherwise defined, in this BAA shall have the same meaning as those terms in the HIPAA Standards and regulations.

 

(h)                The term Protected Health Information or PHI shall include both Protected Health Information and Electronic Protected Health Information ("ePHI"); however, ePHI shall be used when only Electronic Protected Health Information is being referenced.

 

3.                  Obligations and Activities of Business Associate.

 

(a)                Business Associate agrees not to use or disclose Protected Health Information other than as permitted or required by the Agreement (including this BAA) or as Required By Law.

 

(b)               To prevent use or disclosure of the Protected Health Information other than as provided for by this BAA, Business Associate agrees to use appropriate safeguards, including but not limited to compliance with Subpart C of 45 C.F.R. Part 164 with respect to Electronic Protected Health Information.

 

(c)                Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this BAA.

 

(d)               Business Associate agrees to report promptly, no later than one (1) day after discovery, to Covered Entity any use or disclosure of the Protected Health Information not provided for by this BAA of which it becomes aware. For uses or disclosures that represent breaches of unsecured Protected Health Information, Business Associate shall report the information required by 45 C.F.R. 164.410 without unreasonable delay, and in no case later than thirty (30) days after discovery.

 

(e)                Business Associate agrees to ensure that any subcontractor that creates, receives, maintains, or transmits Protected Health Information agrees to the same restrictions, conditions, and requirement that apply through this BAA to Business Associate with respect to such information. Business Associate shall perform appropriate due diligence on each subcontractor prior to permitting a Subcontractor to receive, create, maintain, or transmit Protected Health Information. Business Associate shall not disclose Protected Health Information of 500 or more Individuals to a subcontractor without Covered Entity's prior written approval.

 

(f)                 Business Associate agrees to provide access, within ten (10) days of receiving a written request from Covered Entity, to Protected Health Information in a Designated Record Set to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524, and any subsequent legislation or guidance regarding an Individual's right to access his or her Protected Health Information, including, but not limited to, the requirements of Section 13405 of HITECH Act and the regulations thereunder. In the event any Individual requests access to Protected Health Information directly from Business Associate, Business Associate shall forward such request to Covered Entity within two (2) days.

 

(g)                Business Associate agrees to make any amendment(s) to Protected Health Information in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526 and any subsequent legislation or guidance regarding an Individual's right to request amendment of his or her Protected Health Information within thirty (30) days of receiving a written request from Covered Entity. In the event any Individual requests amendment of Protected Health Information directly from Business Associate, Business Associate shall forward such request to Covered Entity within two (2) days.

 

(h)                Business Associate agrees to comply with the applicable requirements of the Security Rule and to ensure that any subcontractor that creates, receives, maintains, or transmits Protected Health Information agrees to comply with the applicable requirements the Security Rule.

 

(i)                  Business Associate agrees to report promptly to Covered Entity any Security Incident of which Business Associate becomes aware.

 

(j)                 Business Associate agrees to make its internal practices, books, and records, including policies and procedures, relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of, Covered Entity available to the Covered Entity within ten (10) days of receiving a written request from Covered Entity, or to the Secretary, in a time and manner designated by the Secretary, for purposes of the Secretary's determining Covered Entity's compliance with the Privacy Rule. Nothing in this section shall be construed as a waiver of any legal privilege or of any protections for trade secrets or confidential commercial information. Business Associate shall immediately notify Covered Entity of such request from the Secretary pertaining to an investigation of Covered Entity's compliance with HIPAA.

 

(k)               Business Associate agrees to make its policies, procedures and documentation required by the Security Rule relating to the Safeguards for protecting ePHI that it creates, receives, maintains, or transmits on behalf of Covered Entity available to the Secretary for purposes of determining Covered Entity's compliance with the Security Rule.

 

(l)                  Business Associate agrees to document uses and disclosures of Protected Health Information and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information and/or an access report in accordance with 45 C.F.R. § 164.528 and any subsequent legislation or guidance regarding an Individual's right to an accounting of the disclosures of his or her Protected Health Information or access report, including but not limited to, the requirements of Section 13405 of HITECH Act and the regulations thereunder. Nothing in this section shall require documenting PHI as necessary to create an access report unless 45 C.F.R. § 164.528 is amended to require such a report.

 

(m)              Business Associate agrees to provide to Covered Entity, within thirty (30) days of receiving written notice, information collected in accordance with this BAA to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information and/or an access report in accordance with 45 C.F.R. § 164.528 and any subsequent legislation or guidance regarding an Individual's right to an accounting of the disclosures of his or her Protected Health Information, including, but not limited to, the requirements of Section 13405 of HITECH Act and the regulations thereunder. Nothing in this section shall require provision of an access report unless 45 C.F.R. § 164.528 is amended to require such a report.

 

(n)                To the extent Business Associate is to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 C.F.R Part 164, including but not limited to provision of Covered Entity's notice of privacy practices, Business Associate agrees to comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s).

 

4.                  Permitted Uses and Disclosures by Business Associate.

 

(a) Except as otherwise limited in this BAA, Business Associate may use or disclose Protected Health Information to perform functions, activities, or services for, or on behalf of, Covered Entity as specified in the Agreement, provided that such use or disclosure would not violate the Privacy Rule if done by Covered Entity.

 

(b) Except as otherwise limited in this BAA, Business Associate may disclose Protected Health Information for the proper management and administration or to carry out the legal responsibilities of the Business Associate, provided that disclosures are Required By Law, or (i) Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached; and (ii) Business Associate obtains Covered Entity's prior written approval for such disclosures involving 500 or more Individuals.

 

(c) Except as otherwise limited in this BAA, Business Associate may use Protected Health Information to provide Data Aggregation services to Covered Entity as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B).

 

(d) Business Associate may use Protected Health Information to report violations of law to appropriate Federal and State authorities, consistent with 45 C.F.R. § 164.502(j)(1).

 

(e) Business Associate may not use Protected Health Information to create de-identified health information under 45 C.F.R. § 164.514(b) of the Privacy Rule unless necessary to perform functions, activities, or services for, or on behalf of, Covered Entity as specified in the Agreement.

 

4. Term and Termination.

 

(a) Term. The term of this BAA shall be effective upon execution, and shall terminate when the Agreement is terminated.

 

(b) Termination for Cause. Upon Covered Entity's knowledge of a material breach of this BAA by Business Associate, Covered Entity shall either:

 

(i)                  Provide an opportunity for Business Associate to cure the breach or end the violation and terminate this BAA and the Agreement if Business Associate does not cure the breach or end the violation within the time specified by Covered Entity;

 

(ii)                Immediately terminate this BAA and the Agreement if Business Associate has breached a material term of this BAA and cure is not possible; or

 

(iii)               If neither termination nor cure is feasible, Covered Entity shall report the violation to the Secretary.

 

(c) Effect of Termination. Upon termination of this Agreement, the parties hereby acknowledge that the return or destruction of PHI received by the Business Associate from Covered Entity is likely not feasible, and that, therefore Business Associate may retain a copy of such Protected Health Information provided that: (i) the provisions of this BAA shall continue to apply to any such information retained following cancellation, termination, expiration, or other conclusion of the Agreement; and (ii) Business Associate shall limit uses and disclosures of such PHI to those purposes that make the return or destruction thereof not feasible, for as long as Business Associate maintains such PHI.

 

5. Miscellaneous.

 

(a) Regulatory References. A reference in this BAA to a section of the law means the section as in effect or as amended.

 

(b) Amendment. The Parties agree to take such action as is necessary to amend this BAA from time to time as is necessary for either Party or both Parties to comply with the requirements of the HIPAA Standards.

 

(c) Survival. The respective rights and obligations of the parties which by their nature are intended to survive the expiration or termination of this BAA shall survive.

 

(d) Interpretation. Any ambiguity in this BAA shall be resolved to permit Covered Entity to comply with the HIPAA Standards.

 

(e) Construction of Terms. The terms of this BAA shall be construed in light of any applicable interpretation or guidance that may be issued from time to time on the HIPAA Standards by the Department of Health and Human Services or its Office of Civil Rights.

 

(f) No Third Party Beneficiaries. Nothing in this Agreement shall confer upon any person other than the parties and their respective successors or assigns, any rights, remedies, obligations, or liabilities whatsoever.

 

(g) Contradictory Terms. Any provision of the Agreement that is directly contradictory to one or more terms of this BAA shall be superseded by the terms of this BAA as of the Effective Date of this BAA to the extent and only to the extent of the contradiction, only for the purpose of the Covered Entity's compliance with the HIPAA Standards, and only to the extent that it is reasonably impossible to comply with both the conflicting term and the terms of this BAA.

 

(h) HITECH Act Applicability. To the extent not referenced or incorporated herein, requirements applicable to Business Associate and Covered Entity under the HITECH Act are hereby incorporated by reference into this BAA. Business Associate and Covered Entity agree to comply with applicable requirements imposed under the HITECH Act, as of the effective date of each such requirement.

 

(i) Off-Shore. Without in each case the prior written consent of Covered Entity, Business Associate shall not take or send PHI or Personal Information or undertake any action, activity or service related to this BAA or the Agreement outside of the United States of America (whether directly or indirectly through contract with any person or entity that undertakes any function, activity or service outside of the United States of America).

(j) Ownership of Information. The Parties agree that the Protected Health Information and Personal Information is, and shall remain, the property of Covered Entity or its clients or customers.

 

(k) Indemnification. Business Associate agrees to indemnify and hold harmless Covered Entity, its employees, officers, trustees, agents, and contractors from any and all liability, including reasonable attorneys' fees, costs of defense, and costs of mitigation and/or notification, that may arise from Business Associate's breach of this BAA.

 

(l) Equitable and Injunctive Relief. The parties acknowledge that the use or disclosure of Protected Health Information in a manner inconsistent with this BAA or the Agreement will cause Covered Entity irreparable damage and that Covered Entity shall have the right to equitable and injunctive relief to prevent the unauthorized use or disclosure and to such damages as are occasioned by such unauthorized use or disclosure in addition to other remedies available at law or in equity. Covered Entity's remedies under this BAA and the Agreement shall be cumulative, and the exercise of any remedy shall not preclude the exercise of any other.

 

(m) Insurance. Business Associate shall maintain appropriate and adequate insurance coverage to cover Business Associate's obligations pursuant to this BAA, in amounts not less than may be required by the Agreement.