This Business Associate Agreement (“BAA”) is made by and between hc1 Insights, Inc., formerly known as hc1.com Inc. (“Business Associate”) and (“Covered Entity”) and effective as of the Effective Date of the Agreement.
1. Definitions. For purposes of this BAA and the Agreement, the following terms shall have the designated meanings. All other terms shall have the same meanings as in HIPAA or HITECH.
(a) “Administrative Safeguards” shall mean administrative actions, policies, and procedures to manage the selection, development, implementation, and maintenance of security measures to protect Electronic PHI and to manage the conduct of the Business Associate’s workforce in relation to the protection of that information.
(b) “Breach” shall mean the unauthorized acquisition, access, use, or disclosure of unsecured PHI which compromises the security or privacy of such information, but excludes:
- Any unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of Covered Entity or Business Associate, if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under the Privacy Standards;
- Any inadvertent disclosure by a person who is authorized to access PHI at Covered Entity or Business Associate to another person authorized to access PHI at Covered Entity or Business Associate and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted under the Privacy Standards; and
- A disclosure of PHI where Covered Entity or Business Associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.
(c) “Designated Record Set” shall mean a group of records maintained by or for Business Associate or the Covered Entity that is (a) the medical records and billing records about individuals maintained by or for Business Associate or the Covered Entity, (b) the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan, or (c) used, in whole or in part, by or for Business Associate to make decisions about individuals. As used herein, the term “Record” means any item, collection, or grouping of information that includes PHI and is maintained, collected, used, or disseminated by or for Business Associate or the Covered Entity.
(d) “Electronic PHI” shall mean PHI that is transmitted or maintained in electronic media.
(e) “HIPAA” shall mean the Health Insurance Portability and Accountability Act of 1996, and any amendments thereto.
(f) “HITECH” shall mean the Health Information Technology for Economic and Clinical Health Act, which is Title XIII of the American Recovery and Reinvestment Act, and any amendments, regulations, rules, and guidance issued thereto and the relevant dates for compliance.
(g) “Individually Identifiable Health Information” shall mean information that is a subset of health information, including demographic information collected from an individual, and
- is created or received by a healthcare provider, health plan, employer, or healthcare clearinghouse; and
- relates to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual; and (1) identified the individual, or (2) there is a reasonable basis to believe the information can be used to identify the individual.
(h) “Physical Safeguards” shall mean physical measures, policies, and procedures to protect Business Associate’s electronic information systems and related buildings and equipment from natural environmental hazards and unauthorized intrusion.
(i) “Privacy Standards” shall mean the Standards for Privacy of Individually Identifiable Health Information, 45 C.F.R. Parts 160 and 164.
(j) “Protected Health Information” or “PHI” shall mean: (a) Individually Identifiable Health Information that is transmitted by electronic media; (b) maintained in any medium constituting electronic media; or (c) transmitted or maintained in any other form or medium. “PHI” shall not include education records covered by the Family Educational Right and Privacy Act, as amended, 20 U.S.C. § 1232g, or records described in 20U.S.C. § 1232g(a)(4)(B)(iv).
(k) “Secretary” shall mean the Secretary of the United States Department of Health and Human Services.
(l) “Security Incident” shall mean the attempted or successful unauthorized access, use, disclosure, modification or destruction of information or interference with system operations in an information system.
(m) “Security Standards” shall mean the regulations with regard to security standards for health information, 45 C.F.R. Parts 160 and 164.
(n) “Technical Safeguards” shall mean the Standards for Electronic Transactions, 45 C.F.R. 160 and 162.
(o) “Transaction Standards” shall mean the Standards for Electronic Transactions, 45 C.F.R.
(p) “Unsecured PHI” shall mean PHI not secured through the use of a technology or methodology specified in guidance by the Secretary that renders PHI unusable, unreadable, or indecipherable to unauthorized individuals.
2. Compliance with Applicable Law. The parties acknowledge and agree that, beginning with the relevant effective dates, Business Associate shall comply with its obligations under this BAA and with all obligations of a business associate under HIPAA, HITECH and the implementing regulations thereunder, as they exist at the time this BAA is executed and as they are amended, for so long as this BAA is in place.
3. Uses and Disclosures of PHI. Business Associate shall not use or disclose PHI received from the Covered Entity in any manner that is not permitted or required by the Agreement, this BAA or required by law. Business Associate may use PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate. Business Associate may create de-identified information in accordance with 45 C.F.R. §164.502(b), provided that such de-identified information may be used and disclosed only consistent with applicable law.
Business Associate may use PHI to provide data aggregation services to the Covered Entity as permitted by 45 C.F.R. §164.504(e)(2)(i)(B). To the extent required by HIPAA, Business Associate agrees to make reasonable efforts to limit any use, disclosure, or request for use or disclosure of PHI to the minimum amount of PHI necessary to accomplish the intended purpose of the use, disclosure, or request.
4. Reporting of Improper Use and Disclosures of PHI. Business Associate shall notify the Covered Entity within five (5) business days of discovering any suspected or actual use or disclosure of PHI in violation of this BAA by Business Associate, its officers, directors, employees, agents or subcontractors, or by a third party to whom Business Associate disclosed PHI.
5. Reporting of Breaches of Unsecured PHI. Business Associate shall notify the Covered Entity within five (5) business days of discovering a Breach of unsecured PHI in accordance with 45 CFR 164.314.
6. Mitigation of Harmful Effects. Business Associate agrees to mitigate, to the extent practicable, any harmful effect of a use or disclosure of PHI by Business Associate in violation of the requirements of this BAA.
7. Agreements by Third Parties. Business Associate shall enter into an agreement with any agent or subcontractor of Business Associate that will have access to PHI that is received from or is created or received by, Business Associate on behalf of the Covered Entity. Pursuant to such agreement, the agent or subcontractor shall agree to be bound by the same restrictions, terms, and conditions that apply to Business Associate under this BAA with respect to such PHI.
8. Access to Information. To the extent that Business Associate maintains a Designated Record Set on behalf of the Covered Entity, Business Associate shall, within five (5) business days of a request by the Covered Entity for access to PHI about an individual contained in the Designated Record Set, make available to the Covered Entity such PHI for so long as such information is maintained by Business Associate in the Designated Record Set, as required by 45 C.F.R. § 164.524. In the event any individual delivers directly to Business Associate a request for access to PHI, Business Associate shall within two (2) business days forward such request to the Covered Entity.
9. Availability of PHI for Amendment. To the extent that Business Associate maintains a Designated Record Set on behalf of the Covered Entity, Business Associate shall, within ten (10) business days of receipt of a request from the Covered Entity for the amendment of an individual’s PHI or a record regarding an individual contained in a Designated Record Set (for so long as the PHI is maintained in the Designated Record Set), Business Associate shall provide such information to the Covered Entity for amendment and incorporate any such amendments in the PHI as required by 45 C.F.R. § 164.526.
10. Documentation of Disclosures. To the extent expressly required by 45 C.F.R. § 164.528, Business Associate agrees to document disclosures of PHI and information related to such disclosures as would be required for the Covered Entity to respond to a request by an individual for an accounting of disclosures of PHI, providing Covered Entity with the following information: (a) the date of the disclosure; (b) the name of the entity or person who received the PHI, and if known, the address of such entity or person; (c) a brief description of the PHI disclosed; and (d) a brief statement of the purpose of such disclosure which includes an explanation of the basis for such disclosure.
11. Accounting of Disclosures. Business Associate shall, within ten (10) business days of notice by the Covered Entity to Business Associate that it has received a request for an accounting of disclosures of PHI regarding an individual during the six (6) years prior to the date on which the accounting was requested, make available to the Covered Entity information collected in accordance with Section 10 of this BAA, to permit the Covered Entity to respond to the request for an accounting of disclosures of PHI, to the extent expressly required by 45 C.F.R. § 164.528.
12. Availability of Books and Records. Business Associate hereby agrees to make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of the Covered Entity available to the Secretary for purposes of determining the Covered Entity’s compliance with the Privacy Standards.
13. Other Transactions. To the extent Business Associate is to carry out a covered entity’s obligation under 45 CFR Part 164, Subpart E, Business Associate shall comply with the requirements that apply to the covered entity in the performance of such obligation.
14. Electronic PHI. To the extent that Business Associate creates, receives, maintains or transmits Electronic PHI on behalf of the Covered Entity, Business Associate shall comply with the Security Standards as of the relevant, effective date and further, shall:
- Implement Administrative, Physical and Technical Safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the Electronic PHI, in accordance with 45 CFR 500;
- Ensure that any agent, including a Business Associate, to whom it provides Electronic PHI agrees to implement reasonable and appropriate safeguards to protect it; and
- Report to the Covered Entity any Security Incident resulting in a Breach of Unsecured PHI of which Business Associate becomes
15. Term, Termination, and Effect of Termination of the BAA.
- Term. This BAA shall terminate when all of the PHI provided by the Covered Entity to the Business Associate, or created and received by the Business Associate on behalf of the Covered Entity, is returned to the Covered Entity, or, at the Covered Entity’s direction, is
- Termination. The Covered Entity or Business Associate may terminate this BAA pursuant to Sections 16 and 17, This BAA will automatically terminate upon the expiration or termination of the Agreement.
- Effect of Termination. Except as required by law, upon the termination of the Agreement or this BAA for any reason, Business Associate shall return to the Covered Entity or, at the Covered Entity’s direction, destroy all PHI received from the Covered Entity or created or received by the Business Associate on behalf of the Covered Entity that Business Associate maintains in any form, recorded on any medium, or stored in any storage system, unless said information has been de-identified and is no longer PHI. This provision shall apply to PHI that is in the possession of Business Associate or agents or subcontractors of Business Associate. Business Associate shall retain no copies of the PHI. Business Associate shall remain bound by the provisions of this BAA, even after termination of the BAA until such time as all PHI has been returned, de-identified or otherwise destroyed as provided in this Section 15.
16. Breach of Contract by Business Associate. Covered Entity may terminate the Agreement and this BAA if the Covered Entity determines that Business Associate has violated a material term of this BAA and Business Associate fails to cure such violation within thirty (30) days after written notice to Business Associate, provided that if such violation is not susceptible to being cured within such thirty (30) day period, but Business Associate promptly commences such cure, said thirty (30) day period shall be extended so long as Business Associate is actively, diligently and continuously attempting to effectuate such cure.
17. Breach of Contract by The Covered Entity. Business Associate may terminate the Agreement and this BAA if Business Associate knows of a material breach by the Covered Entity that is not cured within thirty (30) days after written notice to Covered Entity, provided that if such violation is not susceptible to being cured within such thirty (30) day period, but Covered Entity promptly commences such cure, said thirty (30) day period shall be extended so long as Covered Entity is actively, diligently and continuously attempting to effectuate such cure. Business Associate will report the problem to the Secretary to the extent expressly required and shall provide advance or simultaneous notice to the Covered Entity.
18. Breach of Contract by a Subcontractor. If Business Associate is aware of a pattern of activity or practice of a subcontractor that constitutes a material breach of violation of the subcontractor’s obligations under a contract involving the creation, receipt, maintenance, or transmission of PHI, Business Associate shall take reasonable steps to ensure that the subcontractor cures the breach or ends the violation, as applicable, or the Business Associate shall terminate the contract, if feasible, in accordance with 45 CFR 164.504.
19. Third Party Rights. The terms of this BAA are not intended, nor should they be construed, to grant any rights to any parties other than Business Associate and the Covered Entity.
20. Indemnification and Limitation of Liability. Business Associate shall indemnify and hold harmless the Covered Entity and its officers, trustees, employees, and agents from any and all claims, penalties, fines, costs, liabilities or damages, including but not limited to reasonable attorneys’ fees, incurred by the Covered Entity arising from a violation by Business Associate of its obligations under this BAA. NOTWITHSTANDING THE FOREGOING OR ANY OTHER PROVISION IN THIS BAA TO THE CONTRARY, THE TOTAL AMOUNT BY WHICH BUSINESS ASSOCIATE AGREES TO INDEMNIFY THE COVERED ENTITY HEREUNDER SHALL NOT EXCEED THREE MILLION DOLLARS ($3,000,000.00); PROVIDED, HOWEVER, FINES AND PENALTIES ASSESSED BY THE FEDERAL GOVERNMENT AGAINST THE COVERED ENTITY FOR VIOLATIONS OF FEDERAL LAW AND REGULATIONS CAUSED SOLELY BY BUSINESS ASSOCIATE’S BREACH WILL NOT BE SUBJECT TO THE FOREGOING LIMITATION OF LIABILITY.
NOTWITHSTANDING ANYTHING TO THE CONTRARY CONTAINED IN THE AGREEMENT OR THIS BAA, IN NO EVENT SHALL EITHER PARTY BE LIABLE TO THE OTHER FOR LOST PROFITS OR REVENUE OR FOR INCIDENTAL, CONSEQUENTIAL, PUNITIVE, COVER, SPECIAL, RELIANCE OR EXEMPLARY DAMAGES, OR INDIRECT DAMAGES OF ANY TYPE OR KIND HOWEVER CAUSED, WHETHER FROM BREACH OF WARRANTY, BREACH OR REPUDIATION OF CONTRACT, NEGLIGENCE, GROSS NEGLIGENCE, WILLFUL MISCONDUCT OR ANY OTHER LEGAL CAUSE OF ACTION FROM OR IN CONNECTION WITH THE AGREEMENT OR THIS BAA (AND WHETHER OR NOT THE PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES) TO THE MAXIMUM EXTENT PERMITTED BY LAW.
21. Injunctive Relief. Business Associate acknowledges and stipulates that if its unauthorized use or disclosure of PHI while performing services pursuant to the Agreement or this BAA would cause irreparable harm to the Covered Entity, the Covered Entity shall be entitled, if it so elects, to institute and prosecute proceedings in any court of competent jurisdiction, either in law or in equity, to obtain damages and injunctive relief, together with the right to recover from Business Associate costs, including reasonable attorneys’ fees, for any such breach of the terms and conditions of this BAA.
22. Owner of PHI. Under no circumstances shall Business Associate be deemed in any respect to be the owner of any PHI used or disclosed by or to Business Associate pursuant to the terms of this BAA.
23. Changes in the Law. Through a written document signed by the parties, the Covered Entity and Business Associate will amend this BAA, as appropriate, to conform to any new or revised legislation, rules and regulations to which the Covered Entity is subject now or in the future including, without limitation, HIPAA, HITECH and the implementing regulations thereunder.
24. Judicial and Administrative Proceedings. In the event Business Associate receives a subpoena, court or administrative order or other discovery request or mandate for release of PHI, the Covered Entity shall have the right to control Business Associate’s response to such request. Business Associate shall notify the Covered Entity of the request as soon as reasonably practicable, but in any event within twenty-four (24) business hours of receipt of such request. Business Associate shall not provide comment, respond to, or release information in response to a subpoena, court or administrative order or other discovery request or mandate for release of PHI without the Covered Entity’s prior review and approval.
25. Assignment. Neither party may assign this BAA without written consent of the other; provided, however, either party may assign this BAA and delegate its obligations hereunder to any of its affiliates or may assign this BAA to a successor by way of merger or consolidation or the acquisition of substantially all of the business relating to the subject matter of this BAA. Subject to the foregoing, this BAA shall be binding on and inure to the benefit of the parties hereto and their respective successors and permitted assigns.
26. Entire Agreement; Modification. This BAA constitutes the entire agreement of the parties concerning the subject matter hereof and supersedes all previous representations, understandings, and agreements of the parties, whether oral or written, concerning the subject matter hereof. This BAA may only be modified by a written document signed by the parties hereto.
27. Governing Law. This BAA shall be construed pursuant to the laws of the State of Indiana and any suit or action thereon, regardless of when brought, shall be brought in an Indiana court of competent jurisdiction.
28. Notices. All notices given with regard to this BAA shall be in writing. A notice shall be deemed to have been given at the time when mailed by U.S. First Class mail or through the Covered Entity’s internal mail or hand delivered. Notices shall be given for each party to the individual and address listed below unless notice is given otherwise:
For Covered Entity: For Business Associate:
hc1 Insights, Inc.
6100 Technology Center Drive, Building K
Indianapolis, Indiana 46278
Attn: Attn: Chief Privacy Officer / firstname.lastname@example.org
with a copy to Covered Entity’s Chief Information Security Officer or similar designee:
or to other such address as a party may from time to time designate by notice to the other party.
29. Severability; Waiver. In the event that any provision hereof is found invalid or unenforceable pursuant to judicial decree or decision, the remainder of this BAA shall remain valid and enforceable according to its terms, except to the extent, if any, that such invalidity or unenforceability may deprive a party to this BAA of a material right or benefit reasonably anticipated by that party in entering into this BAA. The waiver by either party of a breach or violation of any provision of this BAA shall not operate as, or be construed to be, a waiver of any subsequent breach of the same or other provisions hereof.
IN WITNESS WHEREOF, the parties execute this BAA as of the date in which the latter of the two parties signs this BAA.
hc1 Insights, Inc.
“Business Associate” “Covered Entity”