Business Associate Agreement
Business Associate Agreement
Effective January 12, 2024
This Business Associate Agreement (“BAA”) is entered into by and between __________________ (“Covered Entity”), and Woolly Labs, Inc., d/b/a Vouched (“Business Associate”). This BAA supersedes and replaces in entirety all existing agreements between Business Associate and Covered Entity concerning the subject matter of this BAA, but in no way alters or amends any provisions of any additional agreements between the parties.
A. The parties have entered into, and may in the future enter into, one or more written agreements that require Business Associate to receive, maintain or transmit Protected Health Information (“PHI”) on behalf of Covered Entity (“Underlying Agreement(s)”).
B. The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH”) and their implementing regulations codified at 45 C.F.R. Parts 160 and 164, and any other implementing regulations applicable to privacy and security of PHI (“HIPAA Regulations”), govern the use and disclosure of PHI.
C. Covered Entity and Business Associate desire to ensure compliance with the HIPAA Regulations and applicable state laws regarding PHI.
NOW, THEREFORE, in consideration of the terms, conditions and covenants hereinafter set forth, the parties agree as follows:
1.1 Regulatory Definitions. Unless otherwise defined in this BAA, all capitalized terms used in this BAA have the meanings ascribed in the HIPAA Regulations; provided, however, that “PHI” and “ePHI” shall mean PHI and Electronic PHI, respectively, as defined in the HIPAA Regulations, limited to the information Business Associate received from or created or received on behalf of Covered Entity as Covered Entity’s Business Associate.
1.2 Administrative Safeguards. “Administrative Safeguards” shall have the same meaning as the term “administrative safeguards” in the HIPAA Regulations, with the exception that it shall apply to the management of the conduct of Business Associate’s workforce, not Covered Entity’s workforce, in relation to the protection of that information.
1.3 Covered Entity. For purposes of this BAA, Covered Entity shall include Covered Entity and all entities that participate in an Organized Health Care Arrangement with Covered Entity who may receive services from Business Associate under the Underlying Agreement(s).
2. OBLIGATIONS OF THE BUSINESS ASSOCIATE WITH RESPECT TO PHI
2.1 Use and Disclosure of PHI. Business Associate shall not Use or Disclose PHI received from the Covered Entity other than as permitted or required by this BAA or as Required By Law.
2.2 Safeguards. Business Associate agrees to use appropriate administrative, physical and technical safeguards to prevent Use or Disclosure of PHI and ePHI other than as provided for by this BAA, including policies and procedures to implement and maintain administrative, technical, and physical safeguards appropriate to the size and complexity of Business Associate’s operations and the nature and scope of its activities.
2.3 Notification. Business Associate shall report in writing to Covered Entity any Use or Disclosure of PHI not provided for by this BAA, including a Breach of unsecured PHI as required by 45 C.F.R. § 164.410, and any Security Incident of which it becomes aware; provided, however, that notice is hereby deemed provided, and no further notice will be provided by Business Associate, for unsuccessful attempts at unauthorized access, use, disclosure, modification, or destruction, such as pings and other broadcast attacks on a firewall, denial of service attacks, port cans, unsuccessful login attempts, or interception of encrypted information where the key is not compromised, or any combination of the above.
2.4 Agents and Subcontractors. Business Associate agrees to ensure in a contract or other written agreement that any agents and subcontractors to whom a Business Associate provides PHI, created, maintained, transmitted or received by Business Associate on behalf of Covered Entity, agree to substantially the same restrictions, conditions and requirements that apply to Business Associate under this BAA.
2.5 Access to Information. Upon receiving a written request from Covered Entity, Business Associate shall make available to the Covered Entity PHI maintained by Business Associate, in electronic form and format requested by the Covered Entity (which, when available shall be through Covered Entity accessing Business Associate’s online portal) if such format is readily available, necessary for Covered Entity to respond to Individuals’ requests for access to PHI about them in the event that the PHI in Business Associate’s possession constitutes a Designated Record Set. In the event any individual requests access to PHI directly from Business Associate, Business Associate shall forward such request to the Covered Entity without unreasonable delay.
2.6 Availability of PHI for Amendment. Upon receiving a written request from Covered Entity, Business Associate shall make available to the Covered Entity PHI for amendment and incorporate any amendments to the PHI in accordance with 45 C.F.R. Part 164 Subpart E (“Privacy Rule”) in the event that the PHI in Business Associate’s possession constitutes a Designated Record Set.
2.7 Accounting of Disclosures. Upon receiving a written request from Covered Entity, Business Associate shall make available to the Covered Entity the information to the extent required for the Covered Entity to provide an accounting of disclosures of PHI as required by Section 164.528(a) of the Privacy Rule. This will include, as required by the Privacy Rule the following information: (i) the date of the disclosure, (ii) the name of the entity or person who received the PHI, and if known, the address of such entity or person, (iii) a brief description of the PHI disclosed, and (iv) one of the following, as applicable: (a) a brief statement of the purpose of such disclosure which includes an explanation that reasonably informs the individual of the basis for such disclosure or in lieu of such statement; (b) a copy of a written request from the Secretary of Health and Human Services to investigate or determine compliance with HIPAA; or (c ) a copy of the individual’s request for an accounting. In the event the request for an accounting is delivered directly to Business Associate, Business Associate shall forward such request to the Covered Entity without unreasonable delay.
2.8 Responsibility of Business Associate. To the extent Business Associate is directed under the Underlying Agreements(s) or this BAA to carry out one or more of Covered Entity’s obligations under the HIPAA Regulations, Business Associate shall comply with the requirements of the HIPAA regulations that apply to the Covered Entity in performance of such obligations.
2.9 Availability of Books and Records. Business Associate agrees to make its policies, procedures, internal practices, books and records relating to its compliance with this BAA available to the Secretary of Health and Human Services for purposes of determining Covered Entity’s compliance with the Privacy and Security Rule.
3. PERMITTED USES AND DISCLOSURES OF PHI
3.1 Scope of Permitted Uses. Except as otherwise specified in this BAA, Business Associate may Use or Disclose PHI as necessary to perform its obligations under the Underlying Agreement(s) or as Required by Law.
3.2 Management and Administration. Business Associate may use and disclose PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of the Business Associate, provided the disclosures are Required By Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and used or further disclosed only as Required By Law or for the purposes for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
3.3 Data Aggregation. Business Associate may provide data aggregation services relating to the health care operations of Covered Entity, if such activity is permitted under the Underlying Agreement(s).
3.4 De-identified PHI. Business Associate may de-identify any and all PHI obtained by Business Associate under this BAA, and use such de-identified data, all in accordance with the de-identification requirements of the Privacy Rule, if such activity is permitted under the Underlying Agreement(s).
3.5 Specific Authorization. Business Associate may Use and Disclose PHI received pursuant to an authorization that specifically permits disclosure to Business Associate and that complies with the HIPAA Regulations.
4. PROHIBITED USES AND DISCLOSURES OF PHI
4.1 Prohibited Uses. Business Associate may not Use or Disclose PHI in a manner that is not permitted in Section 3. Prohibited Uses and Disclosures include, but are not limited to the following:
(a) Business Associate shall not use or disclose PHI for fundraising or marketing purposes, unless expressly permitted under the Underlying Agreement(s).
(b) Business Associate shall not disclose PHI to a health plan for payment or health care operations purposes if the patient has requested this special restriction, and has paid out of pocket in full for the health care item or service to which the PHI solely relates.
(c ) Business Associate shall not directly or indirectly receive remuneration in exchange for PHI, except with the prior written consent of Covered Entity and as permitted in the HIPAA Regulations; however, this prohibition shall not affect payment by Covered Entity to Business Associate for services provided pursuant to the Underlying Agreement.
(d) Business Associate shall not use PHI for research purposes without Covered Entity’s written authorization.
5. RESPONSIBILITIES OF COVERED ENTITY
5.1 Covered Entity shall:
(a) Provide Business Associate with the notice of privacy policies that Covered Entity produces in accordance with 45 C.F.R. §164.520, as well as any changes to such notice.
(b) Provide Business Associate, in writing, with any changes in, or revocation of, permission by Individual to the Use or Disclosure of PHI, if such changes affect Business Associate’s permitted or required uses or disclosures. Upon receipt by Business Associate of such notice of changes, Business Associate shall cease the use and disclosure of any such Individual’s PHI to the extent that it has relied on such use or disclosure, or where an exception under HIPAA expressly applies.
(c ) Notify Business Associate of any restriction to the Use or Disclosure of PHI that Covered Entity has agreed to in accordance with 45 C.F.R. §164.522.
(d) Not request or require Business Associate to Use and/or Disclose PHI in a manner not permitted by HIPAA or any applicable state laws.
6. TERM AND TERMINATION
6.1 Term. This BAA shall be effective on the earliest effective date for any Underlying Agreements and shall remain in effect until terminated pursuant to Section 6.2 below, or upon termination of all of the Underlying Agreements.
6.2 Termination. This BAA shall continue in effect until the earlier to occur of (i) expiration or termination of the Underlying Agreement(s) or (ii) termination pursuant to this Section 6.2. Either Party may terminate this BAA effective immediately if it determines that the other Party has breached a material term of this BAA and failed to cure such breach within thirty (30) days of being notified by the other Party of the breach.
6.3 Effect of Termination. Except as provided in Section 6.4, upon termination or expiration of this BAA or the Underlying Agreement(s) for any reason, Business Associate shall return or destroy all PHI received from Covered Entity or created or received by Business Associate on behalf of Covered Entity. Business Associate shall not retain copies of PHI. This provision shall apply to PHI in possession of subcontractors or agents of Business Associate.
6.4 Return or Destruction Infeasible. Upon termination of this BAA or the Underlying Agreement(s), Business Associate shall, if feasible, return to Covered Entity or destroy all PHI that Business Associate maintains in any form and retain no copies of such PHI. In the event that Business Associate reasonably determines that returning or destroying the PHI is infeasible, Business Associate shall notify Covered Entity and extend the protections of this BAA to such PHI and limit further Uses and Disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI. This provision shall survive the termination or expiration of this BAA and/or any Underlying Agreement.
7.1 Underlying Agreement; Interpretation. This BAA is subject to and made part of the Underlying Agreement to which it relates, including, without limitation, any applicable limitations of liability. The terms of this BAA shall prevail in the case of any conflict with the terms of any Underlying Agreement to the extent necessary to allow Covered Entity and Business Associate to comply with the HIPAA Regulations.
7.2 No Third Party Beneficiaries. Nothing in this BAA shall confer upon any person other than the Parties and their respective successors or assigns, any rights, remedies, obligations, or liabilities whatsoever.
7.3 Amendment. To the extent that any relevant provision of the HIPAA Regulations is materially amended in a manner that changes the obligations of Business Associates or Covered Entities, the Parties agree to negotiate in good faith appropriate amendments to this BAA to give effect to these revised obligations.
7.4 Survival. The respective rights and obligations of Business Associate and Covered Entity under the provisions of Sections 6.3, 6.4, 7.1, 7.4, 7.8, 7.9; and Sections 2, 3, and 4 solely with respect to PHI the Business Associate retains in accordance with Section 6.4 because it is not feasible to return or destroy such PHI, shall survive termination of this BAA indefinitely.
7.5 Notices. Any notices to be given hereunder to a party shall be made via U.S. Mail or express courier to such party’s address given below, and/or (other than for the delivery of fees) via facsimile to the facsimile telephone numbers listed below.
If to Covered Entity:
If to Business Associate: Woolly Labs, Inc. d/b/a Vouched:
Each party named above may change its address for notice by the giving of notice thereof in the manner hereinabove provided.
7.6 Counterparts; Facsimiles. This BAA may be executed in any number of counterparts, each of which shall be deemed an original. Facsimile copies hereof shall be deemed to be originals.
7.7 Severability. If any provision of this BAA, or any other agreement document, or writing pursuant to or in connection with this BAA, is found to be wholly or partially invalid or unenforceable, the remainder of the agreement is unaffected.
7.8 Disputes. If any controversy, dispute or claim arises between the parties with respect to this BAA, the parties shall make good faith efforts to resolve such matters informally and in accordance with any dispute resolution process specified in the Underlying Agreements.
7.9 Regulatory References. A reference in this BAA to a section in the HIPAA Regulations means the section as in effect or as amended.