SIMPLIFEYE, INC. BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement (“BAA”) is made and entered into by and between Simplifeye, Inc. (“us”, “we”, the “Business Associate”) and the Covered Entity in connection with your and the Covered Entity’s use of our technology services (“Services”). This BAA will be effective as to the date electronically accepted by you on behalf of the Covered Entity (“BAA Effective Date”).
You represent and warrant that: (i) you have full legal authority to bind the Covered Entity to this BAA, (ii) you have read and understand this BAA, and (iii) you agree, on behalf of the Covered Entity, to the terms of this BAA. If you do not have legal authority to bind the Covered Entity or do not agree to these terms, please do not electronically accept the terms of this BAA.
This BAA, together with the Terms of Service, as supplemented by this BAA, (a) is intended by the parties as a final, complete and exclusive expression of the terms of their agreement regarding the subject matter hereof ; and (b) supersedes all prior agreements and understandings (whether oral or written) between the parties with respect to the subject matter hereof.
The parties hereby agree as follows:
1.1. “Business Associate” shall have the same meaning as the term “business associate” at 45 CFR 160.103, and in reference to the party to this agreement, shall mean us.
1.2. “Covered Entity” shall have the same meaning as the term “covered entity” at 45 CFR 160.103, and in reference to the party to this agreement, shall mean, as applicable, you and the company, institution or other entity employing, contracting or retaining you, or on whose behalf you are using the Service.
1.3. “Electronic Protected Health Information” shall have the same meaning as the term “electronic protected health information, limited to such information created, received, maintained or transmitted by us from or on behalf of the Covered Entity in connection with the Services.
1.4. “HIPAA” shall mean the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 (“HIPAA”) Subtitle D of Title XIII of Division A of the American Recovery and Reinvestment Act of 2009, Public Law 111-5 (“HITECH”) and the regulations promulgated under HIPAA and HITECH.
1.5. “Protected Health Information” shall have the same meaning as “protected health information” as set forth in 45 C.F.R. §160.103, limited to such information created, received, maintained or transmitted by us from or on behalf of the Covered Entity in connection with the Services.
1.6. The following terms used in this BAA shall have the same meanings as those terms in HIPAA: Breach, Data Aggregation, Designated Record Set, Disclosure Health Care Operation, Individual, Notice of Privacy Practices, Required by Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use.
2. Applicability and Validity
This BAA applies and is valid only to the extent that you: (i) have accepted our Terms of Service for the Services and (ii) are creating, receiving, maintaining or transmitting Protected Health Information, in your capacity as a Covered Entity, by using the Services.
3. Our Obligations
3.1 We will use appropriate physical, administrative and technical safeguards that (i) reasonably and appropriately protect the confidentiality, integrity, and availability of Electronic Protected Health Information; and (ii) prevent the Use, Disclosure of, or access to the Protected Health Information other than as provided for by HIPAA and this BAA.
3.2 Within five (5) business days, we will report to you any Use or Disclosure of Protected Health Information not provided for by this BAA of which we become aware, including a Breach of Unsecured Protected Health Information as required at 45 CFR 164.410, and any Security Incident of which we become aware. provided, however, that the parties acknowledge and agree that this Section 3.2 constitutes the required notice by us to you of the ongoing existence and regular occurrence of incidents which do not result in the defeat or circumvention of any security control or are prevented by such a security control, or in the unauthorized access, Use or Disclosure of Electronic Protected Health Information
3.3 In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2) as applicable, we will ensure that any Subcontractors that create, receive, maintain, or transmit Protected Health Information on our behalf agree to the same restrictions, conditions, and requirements that apply to us with respect to such information.
3.4 We will make available to you Protected Health Information in a Designated Record Set as necessary to satisfy the Covered Entity’s obligations under 45 CFR 164.524 by including within the Services the tools necessary for you to access such Protected Health Information.
3.5 We will make any amendments to Protected Health Information in a Designated Record Set as directed or agreed to by you pursuant to 45 CFR 164.526, or take other measures, including providing you with the tools to make such amendments, as necessary to satisfy the Covered Entity’s obligations under 45 CFR 164.526.
3.6 We will maintain and make available to you the information required to provide an accounting of Disclosures of Protected Health Information as necessary to satisfy the Covered Entity’s obligations under 45 CFR 164.528.
3.7 We will comply with the requirements of Subpart E that apply to you in the performance of the Covered Entity’s obligations under Subpart E of 45 CFR Part 164, to the extent we are to carry out one or more of such obligations. We shall also comply with Subpart C of 45 CFR Part 164.
3.8 We will make our internal practices, books, and records available to the Secretary for purposes of determining the Covered Entity’s compliance with the HIPAA.
4. Our Permitted Uses and Disclosures
4.1 We will not Use or disclose Protected Health Information other than as permitted or required by this BAA, or as Required by Law. We may Use or disclose Protected Health Information to perform functions, activities or services for or on behalf of the Covered Entity in connection with the Terms of Service including, without limitation, the provision of maintenance and support services, provided such Use or disclosure would not violate HIPAA if done by the Covered Entity, unless expressly permitted as set forth below in Sections 4.2 and 4.3.
4.2 We may Use Protected Health Information for our own proper managerial and administrative duties, or to carry out our legal responsibilities.
4.3 We may Disclose Protected Health Information for our own proper managerial and administrative functions, or to carry out our legal responsibilities, provided the Disclosures are Required by Law, or that we obtain reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and Used or further Disclosed only as Required by Law or for the purposes for which it was Disclosed to the person, and the person notifies us of any instances of which it is aware in which the confidentiality of the information has been breached.
4.4 We may provide Data Aggregation Services relating to the Covered Entity’s health care operations as permitted by 45 CFR §164.504(e)(2)(i)(B).
4.5 We may Use de-identified Protected Health Information in accordance with HIPAA, and Use or disclose such de-identified data for any management and administration and product development purposes, in each case in accordance with the terms of this BAA and HIPAA. This Section shall survive the termination of this BAA.
5. Your Obligations
5.1 You agree that you are responsible for authorizing access to Protected Health Information when using the Services and you represent and warrant that you shall authorize such access in a manner that complies with HIPAA and the terms of this BAA.
5.2 You acknowledge that the Services include the tools necessary for you to access Protected Health Information maintained in the Services, and that such tools allow you to fulfill Covered Entity’s obligations to Individuals pursuant to 45 C.F.R. § 164.524. You further acknowledge that we have no further obligation to you, or any Individual, with respect to any Individual’s right to access his or her Designated Record Set and that such obligation, if any, is your sole responsibility.
5.3 You represent and warrant that Covered Entity has obtained and shall obtain all necessary consults, authorizations and/or other permissions that may be required under HIPAA and/or other applicable law to use the Services and Disclose Protected Health Information to us. You agree that you are responsible for managing its use of the Services to conform to any changes or revocations of permissions previously obtained.
5.4 You represent and warrant to us that the Covered Entity’s Notice of Privacy Practices permits you and the Covered Entity to use the Services and disclose Protected Health Information to us, and that the Covered Entity’s Notice of Privacy Practices incorporates the terms and statements required by HIPAA. You shall ensure that the Covered Entity shall not modify such notice or its privacy procedures in any manner that may affect our authority to Use or Disclose
Protected Health Information pursuant to this BAA without our written consent, except as may be required by applicable law.
5.5 You will notify us of any limitations in the Covered Entity’s Notice of Privacy Practices under 45 CFR 164.520, to the extent that such limitation may affect our Use or Disclosure of Protected Health Information.
5.6 You will notify us of any changes in, or revocation of, the permission by an Individual to Use or Disclose his or her Protected Health Information, to the extent that such changes may affect our Use or Disclosure of Protected Health Information.
5.7 You will notify us of any restriction on the Use or Disclosure of Protected Health Information that the Covered Entity has agreed to or are required to abide by under 45 CFR 164.522, to the extent that such restriction may affect our Use or Disclosure of Protected Health Information.
5.8 You shall ensure that the Covered Entity does not request that we Use or Disclose Protected Health Information in any manner that would not be permissible under Subpart E of 45 CFR Part 164 if done by the Covered Entity, except as specified in this BAA.
5.9 You represent and warrant to us that you and the Covered Entity shall comply with all requirements of HIPAA, and any similar federal or state requirements relating to privacy concerns.
6. Term and Termination
6.1 The Term of this BAA shall be effective as of the BAA Effective Date, and shall terminate upon the earlier to occur of: (i) the termination of the Terms of Service for any reason, or (ii) the termination of this BAA pursuant to the provisions herein.
6.2 Either party may terminate this BAA due to a material Breach of this BAA by the other party upon giving the other party thirty (30) days prior written notice; provided the breaching party does not cure the Breach prior to the effective date of termination. Either party also has the right to terminate this BAA for any reason upon 90 days prior written notice to the other party.
6.3 Upon termination of this BAA, for any reason, you shall immediately cease transmitting Protected Health Information to the Services and we shall return or destroy all Protected Health Information in the Services. If we determine that destruction of such Protected Health Information is not feasible, we shall continue to extend the protections of this BAA to such Protected Health Information, and limit its further Use and Disclosure, if any, of such Protected
Health Information to those purposes that make the return or destruction of such Protected Health Information infeasible, for so long as we maintain such Protected Health Information. The obligations of the parties under this Section 6.3 shall survive the termination of this BAA.
7.1 The parties acknowledge that technology and state and federal laws relating to data and Protected Health Information security and privacy are rapidly evolving, and you further agree that we may unilaterally take action as we deem necessary to amend this BAA
7.2 Nothing express or implied in this BAA is intended to confer, nor shall anything herein confer, upon any person other than the parties and their respective successors or assigns, any rights, remedies, obligations, or liabilities whatsoever.
7.3 This BAA supersedes and replaces all prior or contemporaneous representations, understandings, agreements or communications between you and us, whether written or verbal, regarding the subject matter of this BAA. Except as amended by this BAA, the Terms of Service will remain in full force and effect. If there is a conflict between any other agreement between the parties, including the Terms of Service, with respect to the subject matter of this BAA, the terms
of this BAA will control.