BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement (“Agreement”) shall be incorporated into the applicable Terms of Service or Enrollment Form for Kenect Clients that are Covered Entities and provide Protected Health Information toKenect in the course of using or accessing the Kenect Service.
This Agreement shall be effective as of the Effective Date of the Enrollment Form entered into by and between Kenect, LLC (“Business Associate”) and the Client (the “Covered Entity”) (each a “Party” and collectively the “Parties”). By executing the Enrollment Form, the Parties agree that they are explicitly bound by the covenants found herein.
The Parties have previously executed, are simultaneously executing, or want to enter into contractual arrangements by which the Business Associate receives, uses or discloses Protected Health Information (“PHI”) in performing the Services on behalf of the Covered Entity (“Underlying Agreement”). When used in this Agreement, the term Underlying Agreement means all current or future agreements between the Parties in which Business Associate receives, uses or discloses PHI in performing Services on behalf of the Covered Entity.
The Parties are committed to complying with the Standards for Privacy of Individually Identifiable Health Information (the “Privacy Rule”)and the Standards for Security of Electronic Protected Health Information (the“Security Rule) under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). This Agreement, in conjunction with the Privacy and Security Rules, sets forth the terms and conditions pursuant to which PHI (electronic and non-electronic) that is created, received, maintained, or transmitted by, the Business Associate from or on behalf of Covered Entity, will be handled between the Business Associate and Covered Entity and with third parties during the term of their Underlying Agreement and after its termination. If any provisions of this Agreement and the Parties’ Underlying Agreement conflict, the provisions of this Agreement shall supersede and govern. The Parties agrees as follows:
1. PERMITTED USES AND DISCLOSURES OF PHI
1.1 Services. Pursuant to the Underlying Agreement, Business Associate provides services (“Services”) for Covered Entity that involve the receipt, use and disclosure of PHI. Except as otherwise specified herein, the Business Associate may make any and all uses of PHI necessary to perform its obligations under the Underlying Agreement. All other uses not authorized by this Agreement are prohibited. Moreover, Business Associate may disclose PHI for the purposes authorized by this Agreement only: (i) to its employees, subcontractors and agents, in accordance with Section 2.1(d), or (ii) as otherwise permitted by or as required by the Privacy or Security Rule.
1.2 Business Activities of the Business Associate. Unless otherwise limited herein and if such use or disclosure of PHI would not violate the Privacy or Security Rules if done by the Covered Entity, the Business Associate may:
a. Use the PHI in its possession for its proper management and administration and to fulfill any present or future legal responsibilities of the Business Associate provided that such uses are permitted under state and federal confidentiality laws.
b. Disclose the PHI in its possession to third parties for the purpose of its proper management and administration or to fulfill any present or future legal responsibilities of the Business Associate, provided that theBusiness Associate represents to Covered Entity, in writing, that (i) the disclosures are required by law, or (ii) the Business Associate has received from the third party written assurances regarding its confidential handling of such PHI as required under 45 C.F.R. § 164.504(e)(4) and § 164.314, and the third party notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
c. Business Associate may provide data aggregation services relating to the health care operations of the Covered Entity.
2. RESPONSIBILITIES OF THE PARTIES WITH RESPECT TO PHI
2.1 Responsibilities of the Business Associate. With regard to its use and disclosure of PHI, the Business Associate hereby agrees to do the following:
a. Not use or disclose PHI other than as permitted or required by the Agreement or as required by law.
b. Use appropriate safeguards, and comply with Subpart C of 45CFR Part 164 with respect to electronic PHI, to prevent use or disclosure ofPHI other than as provided for by the Agreement.
c. Report, in writing, to Covered Entity within five (5)business days any use or disclosure of PHI not provided for by the Agreement of which it becomes aware, including breaches of unsecured PHI as required at 45CFR 164.410, and any security incident of which it becomes aware, and cooperate with the Covered Entity in any mitigation or breach reporting efforts.
d. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2),if applicable, to ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information.
e. Ensure that any agent or subcontractor to whom the Business Associate provides PHI, as well as Business Associate, not export PHI for storage beyond the borders of the United States of America.
f. With respect to any agent or subcontractor who has access to PHI from beyond the borders of the United States of America: i. Ensure that any such individuals are bound by the terms and conditions of this Agreement or a subcontractor Agreement containing substantially similar terms and conditions; and
ii. Ensure that any such individuals with access to PHI beyond the borders of the United States of America are subject to the jurisdiction of the courts in the United States of America; and
iii. Ensure that any such persons with access to PHI have received current HIPAA Privacy & Security training.
g. Within ten (10) business days request of Covered Entity, make available PHI in a designated record set, if applicable, to Covered Entity, as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.524.
h. Within ten (10) business days, make any amendment(s) to PHI, if applicable, in a designated record set as directed or agreed to by theCovered Entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.526.
i. As applicable, maintain and make available the information required to provide an accounting of disclosures as necessary to satisfyCovered Entity’s obligations under 45 CFR 164.528.
j. To the extent the Business Associate is to carry out one or more of Covered Entity’s obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligations.
k. Make its internal practices, books, and records available to the Secretary and to the Covered Entity for purposes of determining compliance with the HIPAA Rules.
l. Comply with minimum necessary requirements under the HIPAA Rules.
2.2 Responsibilities of Covered Entity. With regard to the use and disclosure of PHI by the Business Associate, Covered Entity hereby agrees:
a. To inform the Business Associate of any limitations in the form of notice of privacy practices that Covered Entity provides to individuals pursuant to 45 C.F.R. §164.520, to the extent that such limitation may affectBusiness Associate’s use or disclosure of PHI.
b. To inform the Business Associate of any changes in, or revocation of, the permission by an individual to use or disclose PHI, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI.
c. To notify the Business Associate, in writing and in a timely manner, of any restriction on the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 CFR 164.522, to the extent that such restriction may impact in any manner the use or disclosure of PHI by the Business Associate under this Agreement.
d. Except if the Business Associate will use or disclose PHI for (and the Underlying Agreement includes provisions for) data aggregation, or management/administrative//legal responsibilities of the Business Associate, Covered Entity will not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy and Security Rule if done by the Covered Entity.
3. TERMS AND TERMINATION
3.1 Term. The Term of this Agreement shall commence on the Effective Date, and shall terminate on the termination date of the relevant Underlying Agreement or on the date Covered Entity terminates this Agreement for cause as authorized in paragraph 3.2 of this Section, whichever is sooner.
3.2 Termination for Cause. Business Associate authorizes termination of this Agreement by Covered Entity, if Covered Entity determines Business Associate has violated a material term of the Agreement and Business Associate has not cured the breach or ended the violation within the time specified by Covered Entity.
3.3 Obligations of Business Associate upon Termination. Business Associate agrees to return or destroy all PHI pursuant to 45 C.F.R. §164.504(e) (2) (ii)(J), if it is feasible to do so. If it is not feasible for the Business Associate to return or destroy said PHI, the Business Associate will notify Covered Entity in writing. Said notification shall include: (i) a statement that the Business Associate has determined that it is not feasible to return or destroy the PHI in its possession, and (ii) the specific reasons for such determination. Business Associate further agrees to extend any and all protections, limitations and restrictions contained in this Agreement to the Business Associate’s use and disclosure of any PHI retained after the termination of this Agreement, and to limit any further uses or disclosures to the purposes that make the return or destruction of the PHI infeasible. If it is infeasible for the Business Associate to obtain, from a subcontractor or agent any PHI in the possession of the subcontractor or agent, the Business Associate must provide a written explanation to Covered Entity of the reasons therefore, and require the subcontractors and agents to agree to extend any and all protections, limitations and restrictions contained in this Agreement to the subcontractors’ and agents’ use and disclosure of any PHI retained after the termination of this Agreement, and to limit any further uses and disclosures to the purposes that make the return or destruction of the PHI infeasible.
3.4 Automatic Termination. This Agreement will automatically terminate without any further action of the Parties upon the termination or expiration of the Underlying Agreement.
4.1 Business Associate. For purposes of this Agreement, Business Associate shall include the named Business Associate herein. However, in the event that the Business Associate is otherwise a Covered Entity under thePrivacy or Security Rule, that entity may appropriately designate a health care component of the entity, pursuant to 45 C.F.R. § 164.504(a), as the BusinessAssociate for purposes of this Agreement.
4.2 Survival. The respective rights and obligations of BusinessAssociate and Covered Entity under this Agreement shall survive termination of this Agreement indefinitely.
4.3 Amendments; Waiver. This Agreement may not be modified, nor shall any provision hereof be waived or amended, except in a writing duly signed by authorized representatives of the Parties. A waiver with respect to one event shall not be construed as continuing, or as a bar to or waiver of any right or remedy as to subsequent events. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for compliance with the requirements of the HIPAA Rules and any other applicable law.
4.4 Interpretation. Any ambiguity in this Agreement shall be interpreted to permit compliance with the HIPAA Rules.
4.5 No Third Party Beneficiaries. Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than the Parties and the respective successors or assigns of the Parties, any rights, remedies, obligations, or liabilities whatsoever.
4.6 Notices. Any notices to be given hereunder to a Party shall be made via U.S. Mail or express courier to such Party’s address given below, or (other than for the delivery of fees) via facsimile to the facsimile telephone numbers listed below.
If to Business Associate, to:
Attn: Jeff Jones
1064 S N County Blvd #300
Pleasant Grove, UT 84062
If to Covered Entity, to:
The primary contact and address listed in Covered Entity’s Kenect account information.
The following terms used in this Agreement shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Minimum Necessary,Notice of Privacy Practices, Protected Health Information (“PHI”), Required by Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use. Specific definitions include:
a. Business Associate. “Business Associate” shall generally have the same meaning as the term “business associate” at 45 CFR 160.103, and in reference to the party to this Agreement, shall mean Kenect, LLC.
b. Covered Entity. “Covered Entity” shall generally have the same meaning as the term “Covered Entity” at 45 CFR 160.103, and in reference to the party to this Agreement, shall mean the Client.
c. HIPAA Rules. “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164. A reference in this Agreement to a section in the HIPAA Rules means the section as in effect or as amended.
d. Electronic Protected Health Information or Electronic PHI.Electronic PHI which is transmitted by Electronic Media (as defined in theHIPAA Security and Privacy Rule) or maintained in Electronic Media.
e. Privacy Officer. Privacy Officer shall have the meaning asset out in its definition at 45 C.F.R. § 164.530(a) (1) as such provision is currently drafted and as it is subsequently updated, amended or revised.
f. Privacy Rule. Privacy Rule shall mean the Standards forPrivacy of Individually Identifiable Health Information at 45 C.F.R. part 160and part 164.
g. Security Rule. Security Rule shall mean the Standards for Security of Electronic Protected Health Information at 45 CFR Parts 160, 162, and 164.