Business Associate Agreement
THIS BUSINESS ASSOCIATE AGREEMENT ("BAA") is made effective as of the date of electronic acceptance by the Covered Entity (the "Effective Date"), by and between the accepting user ("Covered Entity") and Steady Clinical LLC ("Business Associate").
Recitals
WHEREAS, Covered Entity and Business Associate have entered into a services contract or arrangement, including without limitation the Terms of Service provided on Business Associate's website (collectively the "Services Arrangement"), pursuant to which Business Associate provides to Covered Entity certain AI-powered clinical consultation and skills development tools;
WHEREAS, Covered Entity and Business Associate are entering into this BAA in order to comply with the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 and Subtitle D of the Health Information Technology for Economic and Clinical Health ("HITECH") Act, and the regulations and guidance promulgated pursuant to the foregoing laws (collectively, "HIPAA"); and
WHEREAS, to the extent the parties have previously entered into a business associate contract, this BAA supersedes and replaces such contract as of the date stated above.
NOW, THEREFORE, in consideration of the mutual promises set forth in this BAA and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, Covered Entity and Business Associate hereby agree to the following terms.
1. Definitions
1.1. Breach shall have the same meaning as the term "breach" in 45 CFR §164.402.
1.2. Designated Record Set shall have the same meaning as the term "designated record set" in 45 CFR §164.501.
1.3. Electronic Protected Health Information shall have the same meaning as the term "electronic protected health information" in 45 CFR §160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity.
1.4. Individual shall have the same meaning as the term "individual" in 45 CFR §160.103 and shall include a person who qualifies as a personal representative in accordance with 45 CFR §164.502(g).
1.5. Privacy Rule shall mean 45 CFR Part 160 and Part 164, Subparts A and E.
1.6. Protected Health Information shall have the same meaning as the term "protected health information" in 45 CFR §160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity.
1.7. Required By Law shall have the same meaning as the term "required by law" in 45 CFR §164.103.
1.8. Secretary shall mean the Secretary of the Department of Health and Human Services or his or her designee.
1.9. Security Incident shall have the same meaning as the term "security incident" in 45 CFR §164.304.
1.10. Security Rule shall mean 45 CFR Part 160 and Part 164, Subparts A and C.
1.11. Subcontractor shall have the same meaning as the term "subcontractor" in 45 CFR §160.103.
1.12. Unsecured Protected Health Information shall have the same meaning as the term "unsecured protected health information" in 45 CFR §164.402.
Unless otherwise provided in this BAA, all capitalized or uncapitalized terms have the same meaning as set forth in HIPAA, as amended. All citations to the Code of Federal Regulations set forth in this BAA shall include all subsequent, updated, amended and/or revised provisions thereto.
2. Obligations and Activities of Business Associate
2.1. Business Associate agrees to not use or further disclose Protected Health Information other than as permitted or required by this BAA or as Required By Law.
2.2. Business Associate agrees to use appropriate safeguards and comply, where applicable, with the Security Rule with respect to Electronic Protected Health Information, to prevent use or disclosure of the information other than as provided for by this BAA.
2.3. Business Associate agrees to report to Covered Entity any use or disclosure of the Protected Health Information not provided for by this BAA of which it becomes aware, including any Breaches of Unsecured Protected Health Information as required by 45 CFR §164.410.
2.4. In accordance with 45 CFR §164.502(e)(1)(ii), Business Associate agrees to ensure that any Subcontractors that create, receive, maintain, or transmit Protected Health Information on behalf of Business Associate agree to restrictions and conditions substantially similar to those that apply through this BAA to Business Associate with respect to such information.
2.5. If Business Associate maintains Protected Health Information in a Designated Record Set, Business Associate agrees to make available such Protected Health Information as necessary to satisfy Covered Entity's obligations under 45 CFR §164.524 and make available such Protected Health Information for amendment and incorporate any amendments to such Protected Health Information as necessary to satisfy Covered Entity's obligations under 45 CFR §164.526.
2.6. Business Associate agrees to make its internal practices, books, and records relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of, Covered Entity available to the Secretary for purposes of the Secretary determining Covered Entity's compliance with the Privacy Rule.
2.7. Business Associate agrees to maintain and make available the information required to provide an accounting of disclosures of Protected Health Information as necessary to satisfy Covered Entity's obligations under 45 CFR §164.528 and the HITECH Act.
2.8. With respect to Electronic Protected Health Information, Business Associate agrees to (a) comply with the applicable requirements of the Security Rule, (b) in accordance with 45 CFR §164.308(b)(2), ensure that any Subcontractors that create, receive, maintain or transmit Electronic Protected Health Information on behalf of Business Associate agree to comply with the applicable requirements of the Security Rule by entering into a contract or other arrangement that complies with 45 CFR §164.314, and (c) report to Covered Entity any Security Incident of which it becomes aware, including Breaches of Unsecured Protected Health Information as required by 45 CFR §164.410. This section constitutes ongoing notice by Business Associate to Covered Entity of the existence and occurrence of attempted but Unsuccessful Security Incidents for which no additional notice to Covered Entity is required. The term "Unsuccessful Security Incidents" includes, without limitation: pings and other broadcast attacks on Business Associate's firewalls, port scans, unsuccessful log-on attempts, denial of service attacks, and any combination of the foregoing, so long as no such incident results in unauthorized access to, use or disclosure of Electronic Protected Health Information.
2.9. To the extent Business Associate is to carry out any obligation of Covered Entity under the Privacy Rule, Business Associate shall comply with the requirements of the Privacy Rule that apply to the Covered Entity with respect to such obligation.
3. Permitted Uses and Disclosures by Business Associate
3.1. Business Associate may use or disclose Protected Health Information to perform functions, activities or services for or on behalf of Covered Entity pursuant to the Services Arrangement, provided that any such use or disclosure would not violate the Privacy Rule if done by Covered Entity, subject to Sections 3.2 and 3.3 below.
3.2. Business Associate may use Protected Health Information for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate.
3.3. Business Associate may disclose Protected Health Information for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate, provided that disclosures are Required By Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
3.4. Business Associate may de-identify PHI in accordance with 45 CFR §164.514(a)-(c). Business Associate may use such de-identified data for operational improvements, analytics, product development, statistical reporting and other purposes not prohibited by applicable law. Any de-identified data used by Business Associate shall not include any identifiable patient or Covered Entity information.
3.5. Business Associate may use Protected Health Information to report violations of law to appropriate Federal and State authorities, consistent with §164.502(j)(1).
4. Obligations of Covered Entity
4.1. Covered Entity shall not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under the Privacy Rule if done by Covered Entity.
4.2. Covered Entity shall notify Business Associate of any limitation(s) in the notice of privacy practices of Covered Entity in accordance with 45 CFR §164.520, to the extent that such limitation may affect Business Associate's use or disclosure of Protected Health Information.
4.3. Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by any Individual to use or disclose Protected Health Information, to the extent that such changes may affect Business Associate's use or disclosure of Protected Health Information.
4.4. Covered Entity shall notify Business Associate of any restriction on the use or disclosure of Protected Health Information that Covered Entity has agreed to in accordance with 45 CFR §164.522, to the extent that such restriction may affect Business Associate's use or disclosure of Protected Health Information.
5. Term and Termination
5.1. Term. The term of this BAA shall begin as of the Effective Date and shall terminate upon (i) the later of the termination or expiration of the Services Arrangement or the cessation of all services pursuant to the Services Arrangement or (ii) the termination of this BAA pursuant to Section 5.2 below.
5.2. Termination for Cause. This BAA may be terminated by either party upon the material breach of this BAA by the other party in the event that the defaulting party fails to cure such material breach within thirty (30) days following written notice from the non-defaulting party describing such material breach.
5.3. Effect of Termination. Upon termination of this BAA for any reason, Business Associate shall return or destroy all Protected Health Information received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity. Notwithstanding the foregoing sentence, in the event Business Associate determines that returning or destroying certain Protected Health Information is infeasible, Business Associate shall retain such Protected Health Information, extending the protections of this BAA to such Protected Health Information and limiting further uses and disclosures of such Protected Health Information to those purposes for which such PHI was retained. For purposes of this Section 5.3, "infeasible" includes but is not limited to circumstances in which further use or disclosure of Protected Health Information is or may be Required By Law or otherwise necessary for Business Associate's proper management and administration or carrying out its legal responsibilities.
6. Miscellaneous
6.1. Regulatory References. A reference in this BAA to a section in the Privacy or Security Rule or other section of the HIPAA regulations means the section as in effect or as amended.
6.2. Survival. Any provision of this BAA which imposes an obligation after termination of this BAA, including but not limited to Section 5.3 and Section 6, shall survive the termination of this BAA and continue to be binding on the parties.
6.3. Interpretation; Entire Agreement; Amendment. Any ambiguity in this BAA shall be resolved to permit Covered Entity and Business Associate to comply with HIPAA. With respect to the subject matter of this BAA, this BAA supersedes all previous contracts by and between the parties and, together with the Services Arrangement, constitutes the entire agreement between the parties. In the event that a provision of this BAA conflicts with a provision of the Services Arrangement, the provision of this BAA shall control; provided, however, that to the extent any provision within the Services Arrangement imposes more stringent requirements than those required in the BAA with respect to the privacy or security of Protected Health Information, the parties agree to adhere to the terms of the Services Arrangement, and provided, however, that the limitation of liability provisions of the Services Arrangement shall apply to and govern this BAA. This BAA may be amended only by written agreement between the parties.
6.4. Assignment. No assignment of the rights or obligations of either party under this BAA shall be made without the express written consent of the other party, which consent shall not be unreasonably withheld. This BAA shall be binding upon and shall inure to the benefit of the parties, their respective successors and permitted assignees.
6.5. Governing Law. To the extent not preempted by Federal law, this BAA shall be governed and construed in accordance with the laws of the State of Tennessee, without regard to conflicts of law provisions that would require application of the law of another state.
6.6. Counterparts; Signature. This BAA may be executed in multiple counterparts, which together shall constitute an original. This BAA may also be executed by electronic acceptance through the Steady Clinical platform.
6.7. No Third Party Beneficiaries. Nothing express or implied in this BAA is intended to confer, nor shall anything herein confer, upon any person other than the parties and the respective successors and assigns of the parties any rights, remedies, obligations, or liabilities whatsoever.
6.8. Other Requirements. Business Associate and Covered Entity agree that, to the extent not incorporated or referenced in this BAA, other requirements under the HITECH Act (as well as any other requirements under HIPAA) that apply to business associates, and that are required to be incorporated by reference in a business associate agreement, are incorporated into this BAA as if set forth in this BAA in their entirety and are effective as of the applicable date for each such requirement on which the Secretary will require business associates to comply with such requirement. Business Associate shall comply with the obligations of a business associate as prescribed by HIPAA and the HITECH Act commencing on the applicable date of each such requirement.
Contact
For questions about this Business Associate Agreement:
Reese Armstrong
Steady Clinical, LLC
Email: reese@steadyclinical.com
Website: https://www.steadyclinical.com