BUSINESS ASSOCIATE AGREEMENT
Last updated January 30, 2024
This Business Associate Agreement ("Agreement") is made between NoteMD ("Business Associate") and the customer who has agreed to the Terms of Use with Business Associate ("Covered Entity"), taking effect from the Effective Date. Hereafter, Covered Entity and Business Associate shall be collectively known as the "Parties."
WHEREAS, in accordance with the Terms of Use, Business Associate is tasked with providing specific services to, for, or on behalf of Covered Entity that involve accessing or disclosing Protected Health Information, and under these Terms of Use, Business Associate is deemed a "business associate" of Covered Entity;
WHEREAS, the federal Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, amended by the Health Information Technology for Economic and Clinical Health Act and known together as "the Administrative Simplification provisions," mandates the Department of Health and Human Services to establish standards for securing the privacy, confidentiality, and integrity of health information;
WHEREAS, following the Administrative Simplification provisions, the Secretary of Health and Human Services has enacted regulations at 45 CFR Parts 160 and 164, subject to future amendments (the "HIPAA Security and Privacy Rule");
WHEREAS, the Parties are engaged or will engage in a relationship where Business Associate is to provide specific services or conduct certain activities for Covered Entity, and within this context, Business Associate is recognized as a "business associate" of Covered Entity as defined in the HIPAA Security and Privacy Rule;
WHEREAS, in fulfilling these activities and/or providing these services, Business Associate may access Protected Health Information (as defined later in this document) held, owned, or managed by Covered Entity, or may generate or collect Protected Health Information on behalf of Covered Entity for the purposes outlined in this Agreement;
WHEREAS, according to the Federal Standards for Privacy and Security of Individually Identifiable Health Information, 45 C.F.R. Parts 160 and 164, set forth under the Health Insurance Portability and Accountability Act (HIPAA), Covered Entity is prohibited from sharing Protected Health Information with, or allowing the generation or collection of Protected Health Information by, Business Associate unless Covered Entity receives adequate assurances from Business Associate that such information will be securely protected;
WHEREAS, Business Associate agrees to provide such assurances to Covered Entity as stipulated in this document.
NOW, THEREFORE, in light of the ongoing responsibilities under this arrangement, adherence to the HIPAA Security and Privacy Rule, and in exchange for other valuable consideration, the receipt and adequacy of which are hereby recognized, the Parties agree as outlined below:
I. DEFINITIONS
(a) Unless specified otherwise within this document, all capitalized terms in this Agreement are to be interpreted as defined by the HIPAA Security and Privacy Rule. Should there be any discrepancies between the terms of this Agreement and the compulsory conditions of the HIPAA Security and Privacy Rule, as updated, the stipulations of the HIPAA Security and Privacy Rule will prevail. In cases where the terms of this Agreement differ from those required by the HIPAA Security and Privacy Rule but are still allowed, the terms of this Agreement will take precedence.
(b) "Protected Health Information" refers to health information that is personally identifiable, including, but not limited to, all forms of data, records, and materials, which encompass demographic, medical, and financial details, and pertain to an individual's past, present, or future physical or mental health status; health care provided to an individual; or past, present, or future payments for health care services provided to an individual. This information must either directly identify the individual or there must be a reasonable basis to believe it could be used to identify the individual. "Protected Health Information" also comprehensively includes "Electronic Protected Health Information" as outlined below.
(c) "Electronic Protected Health Information" is defined as Protected Health Information that is either transmitted via Electronic Media (as delineated in the HIPAA Security and Privacy Rule) or stored within Electronic Media.
(d) "Security Incident" encompasses any attempts or successes in unauthorized access, utilization, disclosure, alteration, or destruction of information, or any acts that disrupt system operations within an information system.
Business Associate recognizes and consents that all Protected Health Information created or received by Covered Entity and shared or made accessible in any manner, including paper documents, verbal communications, audio recordings, and electronic presentations by Covered Entity or its operational divisions to Business Associate, or that is generated or acquired by Business Associate on behalf of Covered Entity, is governed by this Agreement.
II. AUTHORIZED USAGE AND DISCLOSURE(a) NoteMD is allowed to use or share Protected Health Information solely as authorized by this Agreement or as mandated by law. Beyond the specific provisions outlined here, NoteMD is prohibited from using or disclosing Protected Health Information in a way that would breach the HIPAA Security and Privacy Rule if conducted by Covered Entity. In particular, NoteMD is permitted to use or disclose Protected Health Information (1) to fulfill its duties under any contracts that demonstrate the business relationship between the Parties, or (2) as necessitated by any applicable law, regulation, or by any accrediting or credentialing body that requires Covered Entity to provide such information, or (3) as otherwise allowed within this Agreement, the business relationship between the Parties (provided it aligns with this Agreement and the HIPAA Security and Privacy Rule), or the HIPAA Security and Privacy Rule, or (4) in a manner that would be allowable under the HIPAA Security and Privacy Rule if such action were taken by Covered Entity.
(b) NoteMD is permitted to de-identify Protected Health Information solely upon the explicit instruction of and for the benefit of Covered Entity. NoteMD is prohibited from selling Protected Health Information unless directed by Covered Entity and in accordance with the HIPAA Security and Privacy Rule.
(c) Despite the restrictions outlined in this Agreement, NoteMD may:
(i) Utilize Protected Health Information for the essential management and administrative operations of NoteMD or to fulfill NoteMD's legal obligations;
(ii) Reveal Protected Health Information for the essential management and administrative operations of NoteMD or to fulfill NoteMD's legal obligations, provided that for any such disclosure (A) The disclosure is legally required; or (B) NoteMD secures verifiable assurances from the recipient that the information will be kept confidential and only used or further disclosed as required by law or for the purpose for which it was disclosed to the recipient, and the recipient informs NoteMD of any known breaches of confidentiality;
(iii) Offer data aggregation services related to the health care operations of Covered Entity under any contracts between the Parties that reflect their business association. Within the context of this Agreement, data aggregation refers to the process by which NoteMD combines Protected Health Information with the Protected Health Information received by NoteMD in its role as a business associate of another covered entity, enabling data analysis that pertains to the health care operations of the involved covered entities.
(a) NoteMD commits to not utilizing or disclosing Protected Health Information except as allowed or mandated by this Agreement or as required by law. When NoteMD is fulfilling Covered Entity's duties under the HIPAA Security and Privacy Rule, NoteMD will adhere to the relevant sections of the HIPAA Security and Privacy Rule as though such actions were undertaken by Covered Entity. Covered Entity will refrain from instructing NoteMD to use or disclose Protected Health Information in any way that would contravene the HIPAA Security and Privacy Rule if performed by Covered Entity, except as specifically outlined in this Agreement. NoteMD agrees to follow Covered Entity's guidelines on the minimal necessary use or disclosure of Protected Health Information.
(b) NoteMD commits to conducting HIPAA training for all its staff who manage Covered Entity’s account or who will have access to Covered Entity’s Protected Health Information.
(c) Upon the conclusion of this Agreement, the business relationship between the Parties, or at the request of Covered Entity, whichever comes first, NoteMD will, if feasible, return (following a process approved by Covered Entity) or destroy all Protected Health Information obtained from Covered Entity, or created, held, or received by NoteMD on behalf of Covered Entity, that NoteMD still possesses in any format, retaining no copies. If return or destruction is not feasible, NoteMD will (i) keep only the Protected Health Information that is necessary under the circumstances; (ii) return or destroy the remaining Protected Health Information in any format that NoteMD still possesses; (iii) extend this Agreement's protections to the kept Protected Health Information; (iv) restrict further uses and disclosures to those situations that make the return or destruction unfeasible; and (v) return or destroy the kept Protected Health Information when it is no longer needed by NoteMD. This clause will survive this Agreement's termination and applies to Protected Health Information created, held, or received by NoteMD and its subcontractors.
(d) NoteMD ensures that its agents, including subcontractors, that create, receive, maintain, or transmit Protected Health Information on behalf of NoteMD, adhere to the same (or more stringent) restrictions and conditions as NoteMD regarding such information, and implement suitable safeguards to protect any Electronic Protected Health Information. NoteMD commits to formalizing agreements with any subcontractors in alignment with the HIPAA Security and Privacy Rule and will take reasonable measures to prevent its employees’ actions or inactions from causing NoteMD to breach this Agreement.
(e) NoteMD will enact appropriate measures to prevent the use or disclosure of Protected Health Information other than as authorized by this Agreement. NoteMD will implement administrative, physical, and technical safeguards to reasonably and appropriately protect the confidentiality, integrity, and availability of any Electronic Protected Health Information it creates, receives, maintains, or transmits on behalf of Covered Entity as required by the HIPAA Security and Privacy Rule.
(f) Where relevant, NoteMD will comply with (i) Covered Entity’s Notice of Privacy Practices; (ii) any limitations that Covered Entity has consented to regarding an Individual’s authorization to use or disclose his or her Protected Health Information; and (iii) any use or disclosure restrictions of Protected Health Information to which Covered Entity has agreed or is obliged to agree.
(g) NoteMD will make available its internal practices, records, and books to the Secretary of the Department of Health and Human Services for the purpose of verifying compliance with the HIPAA Security and Privacy Rule provisions, and upon the Secretary's request, will cooperate with any investigations, compliance reviews, permit information access, and collaborate with any complaints as legally required. Without undue delay and not exceeding 48 hours after receiving the request or notification, NoteMD will inform Covered Entity in writing about any request by a governmental entity, or its delegate, to examine NoteMD’s compliance with the law or this BAA, to address a complaint, or to conduct any audit or assessment.
(h) NoteMD shall notify Covered Entity of any use or disclosure of Protected Health Information not in accordance with this Agreement's terms, as well as any Security Incident or any actual or suspected Breach, of which it becomes aware, without undue delay and no later than three business days following such discovery. Security Incidents and Breaches are considered discovered by NoteMD on the first day they are known to NoteMD or, with reasonable diligence, would have been known to NoteMD. Notifications to Covered Entity will include the details required by 45 C.F.R. § 164.410. Additionally, NoteMD commits to mitigating, as far as practicable, any adverse effect known to NoteMD resulting from a use or disclosure of Protected Health Information by NoteMD in violation of this Agreement's requirements, and to fully cooperate with Covered Entity in case of a review or investigation of such noncompliance or Security Incident.
NoteMD will assist in Covered Entity's breach analysis and/or risk assessment if requested and will collaborate with Covered Entity if it is determined that third parties must be informed of a Breach, provided that NoteMD shall not issue any
(a) NoteMD commits to providing access to Protected Health Information within a Designated Record Set to Covered Entity as necessary and in the manner stipulated by Section 164.524 of the HIPAA Security and Privacy Rule.
(b) NoteMD agrees to make available Protected Health Information within a Designated Record Set for amendment purposes and to integrate any changes to Protected Health Information as dictated by Section 164.526 of the HIPAA Security and Privacy Rule and following the instructions of Covered Entity.
(c) NoteMD shall keep and provide access to the information required for an accounting of disclosures, in line with Section 164.528 of the HIPAA Security and Privacy Rule. NoteMD will adhere to Covered Entity's guidelines concerning the accounting of disclosures.
(d) NoteMD consents to abide by any requests for limitations on specific disclosures of Protected Health Information according to Section 164.522 of the HIPAA Security and Privacy Rule, to which Covered Entity has consented and of which NoteMD has been informed by Covered Entity.
(e) Should an Individual directly approach NoteMD with a request under this Section IV, NoteMD will inform Covered Entity of such request in writing within three (3) business days and will collaborate with, and act according to, Covered Entity's instructions in addressing the request.
This Agreement becomes effective from the date initially mentioned above and will end at the earlier occurrence of (i) the conclusion of all contracts between the parties, or (ii) the termination by Covered Entity on grounds specified in this document. Despite any provisions in this Agreement, Covered Entity is entitled to immediately terminate this Agreement if it determines that NoteMD has breached any essential condition of this Agreement. If Covered Entity has a reasonable belief that NoteMD is likely to breach an important term of this Agreement and, where feasible, notifies NoteMD in writing of such belief within a reasonable timeframe after having this belief, and NoteMD does not provide satisfactory written assurances to Covered Entity that it will not violate the specified term of this Agreement within a reasonable timeframe considering the particular situation, but in any case, before the anticipated breach occurs, then Covered Entity reserves the right to immediately terminate this Agreement.
VI. GENERAL PROVISIONS
Beyond what is explicitly stated in this document or the HIPAA Security and Privacy Rule, this Agreement does not aim to bestow any rights upon third-party individuals. The responsibilities of NoteMD under this Agreement shall outlast the expiration, termination, or cancellation of this Agreement and/or the business relationship between the Parties, continuing to obligate NoteMD, along with its agents, employees, contractors, successors, and assigns as described herein.
Amendments or modifications to this Agreement must be made through a written document signed by both Parties. Neither Party can transfer their rights and duties under this Agreement without the written approval of the other Party. This Agreement does not intend to, nor shall it be construed to, create any partnership, joint venture, agency, franchise, or employment relationship between the Parties, other than the relationship of independent entities contracting with each other solely to carry out the provisions of this Agreement and any other agreements that reflect their business relationship.
This Agreement shall be governed by the laws of the State of California. Any waiver, change, or discharge of any liability or obligation under this Agreement on one or multiple instances will not be considered a waiver of any ongoing or different obligation, nor will it prevent the enforcement of any obligation at any other time.
In the case where any documentation of the arrangement under which NoteMD offers services to Covered Entity includes clauses on the use or disclosure of Protected Health Information that are stricter than those in this Agreement, those stricter provisions shall prevail. The clauses of this Agreement are designed to set the minimum standards for NoteMD's use and disclosure of Protected Health Information.
Should any clause of this Agreement be deemed invalid or unenforceable by a competent court, the remaining clauses shall continue to be valid and enforceable. Furthermore, if either party sincerely believes that any part of this Agreement does not comply with the current requirements of the HIPAA Security and Privacy Rule, they must notify the other party in writing. The parties will then have up to thirty days to collaboratively address and possibly amend the Agreement to ensure compliance. If, after this thirty-day period, either party still sincerely believes the Agreement does not comply with the HIPAA Security and Privacy Rule, either party may terminate the Agreement upon written notice to the other party.
(a) NoteMD is allowed to use or share Protected Health Information solely as authorized by this Agreement or as mandated by law. Beyond the specific provisions outlined here, NoteMD is prohibited from using or disclosing Protected Health Information in a way that would breach the HIPAA Security and Privacy Rule if conducted by Covered Entity. In particular, NoteMD is permitted to use or disclose Protected Health Information (1) to fulfill its duties under any contracts that demonstrate the business relationship between the Parties, or (2) as necessitated by any applicable law, regulation, or by any accrediting or credentialing body that requires Covered Entity to provide such information, or (3) as otherwise allowed within this Agreement, the business relationship between the Parties (provided it aligns with this Agreement and the HIPAA Security and Privacy Rule), or the HIPAA Security and Privacy Rule, or (4) in a manner that would be allowable under the HIPAA Security and Privacy Rule if such action were taken by Covered Entity.
(b) NoteMD is permitted to de-identify Protected Health Information solely upon the explicit instruction of and for the benefit of Covered Entity. NoteMD is prohibited from selling Protected Health Information unless directed by Covered Entity and in accordance with the HIPAA Security and Privacy Rule.
(c) Despite the restrictions outlined in this Agreement, NoteMD may:
- (i) Utilize Protected Health Information for the essential management and administrative operations of NoteMD or to fulfill NoteMD's legal obligations;
- (ii) Reveal Protected Health Information for the essential management and administrative operations of NoteMD or to fulfill NoteMD's legal obligations, provided that for any such disclosure (A) The disclosure is legally required; or (B) NoteMD secures verifiable assurances from the recipient that the information will be kept confidential and only used or further disclosed as required by law or for the purpose for which it was disclosed to the recipient, and the recipient informs NoteMD of any known breaches of confidentiality;