Business Associate Agreement
Last Updated May 9, 2023
This Business Associate Agreement (this “BAA”) is made effective as of _____________ (the “Effective Date”) by and between ImageMoverMD, Inc., with offices at 2858 University Ave #265, Madison, WI 53705 (“Business Associate”) and _______________________ (“Covered Entity”), with its principal place of business at ___________________.
I. Definitions
Terms used, but not otherwise defined, in this BAA shall have the same meaning as those terms in 45 CFR 160.103 and 164.501 and 164.304.
(a) HIPAA shall mean (i) the Health Insurance Portability and Accountability Act of 1996, and the regulations promulgated thereunder, and any subsequent amendments or modifications thereto; and (ii) the Health Information Technology for Economic and Clinical Health Act, and the HITECH Act Regulations promulgated thereunder, and any subsequent amendments or modifications thereto.
(b) HIPAA Rules shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.
(c) HITECH Act Regulations shall mean the Final Rule implementing modifications to the privacy, security, enforcement, and breach notification rules published in the Federal Register on January 25, 2013, as may be amended, modified, or superseded from time to time.
(d) Individual shall have the same meaning as the term in 45 CFR 160.103. Where applicable pursuant to HIPAA, including, without limitation, as set forth in 45 CFR 164.502, the term Individual as used herein shall be deemed to include a person who qualifies as an individual’s personal representative.
(e) Privacy Rule shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR part 160 and part 164, subparts A and E, as may be amended, modified, or superseded from time to time.
(f) Protected Health Information or "PHI" shall have the same meaning as the term in 45 CFR 160.103, limited to the information created, received, maintained, or transmitted by Business Associate from or on behalf of Covered Entity. For clarity, the term PHI shall not include any information collected by or on behalf of Business Associate through or in connection with the Services Agreements that does not constitute "individually identifiable health information” as such term is defined in 45 CFR 160.103.
(g) Required By Law shall have the same meaning as the term in 45 CFR 164.103.
(h) Secretary shall mean the Secretary of the Department of Health and Human Services or the designee of the Secretary.
(i) Services Agreement(s) shall mean the undertakings in written contracts, engagements, or otherwise, by which Business Associate provides products or services to Covered Entity which involve the creation, receipt, maintenance, or transmission of PHI for which Covered Entity is responsible. This BAA will apply to all Services Agreements, unless the parties specifically agree otherwise in writing. For clarity, the applicability of this BAA to any Services Agreement shall only apply with respect to the services provided by Business Associate to Covered Entity under such Services Agreement that pertain to the creation, receipt, maintenance, or transmission of PHI by Business Associate on behalf of Covered Entity.
II. Obligations and Activities of Business Associate
(a) Business Associate agrees not to use or further disclose PHI other than as permitted or required by the Services Agreement, this BAA or as Required by Law.
(b) Business Associate agrees to use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this BAA.
(c) Business Associate agrees to report to Covered Entity any use or disclosure of the PHI not provided for by the Services Agreements or this BAA of which it becomes aware promptly upon becoming aware thereof, and in any event within five (5) days.
(d) Business Associate agrees to ensure that any agent, including a subcontractor, to whom it provides PHI received from, or created or received by Business Associate on behalf of, Covered Entity agrees in writing to the same restrictions and conditions that apply throughout this BAA to Business Associate with respect to such information.
(e) Business Associate agrees to make internal practices, books, and records available to the Secretary for purposes of determining compliance with the HIPAA Rules.
(f) Business Associate agrees to document and maintain such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR 164.528 (collectively, “Disclosure Information”). Within five (5) days of receipt of a request from Covered Entity, Business Associate agrees to provide to Covered Entity the applicable Disclosure Information relating to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR 164.528.
(g) Within five (5) days of a request by Covered Entity, Business Associate shall make PHI maintained by Business Associate in a Designated Record Set available to Covered Entity as necessary to enable Covered Entity to fulfill its obligations under 45 CFR 164.524. Business Associate shall provide access to a copy of electronic PHI maintained by Business Associate in a Designated Record Set to Covered Entity in accordance with the provisions of this section and as Required by Law.
(h) Within five (5) days of receipt of a request by Covered Entity, Business Associate shall amend PHI maintained by Business Associate in a Designated Record Set as directed by Covered Entity to enable Covered Entity to fulfill its obligations under 45 CFR 164.526.
(i) Business Associate will provide Covered Entity with written notice of a Breach involving Unsecured PHI without unreasonable delay, and in no case later than five (5) days after the first day the Breach is known, or reasonably should have been known by exercising reasonable diligence, to the Business Associate, including for this purpose any employee, officer, or other agent of the Business Associate (other than the individual committing the Breach). The notice will include, to the extent possible, the identification of each Individual whose Unsecured PHI was, or is reasonably believed to have been, subject to the Breach and any other available information concerning the Breach that Covered Entity is required to include in notifications to individuals under 45 CFR 164.404(c) (“Required Breach Information”). To the extent all Required Breach Information is not known or available at the time of Business Associate’s initial notice of a Breach to Covered Entity, Business Associate will continue to diligently investigate the Breach and will provide Covered Entity with additional Required Breach Information as it becomes available. Covered Entity will be solely responsible for determining the need, content, and recipients of notice and, unless the parties agree otherwise, for providing any required notice to individuals or governmental authorities.
(j) Business Associate will not disclose Covered Entity’s PHI to a health plan for payment or health care operations purposes for health care items or services which have been paid in full by the individual out-of-pocket, except as to disclosures required by law, if the subject individual requests such restriction. Covered Entity will advise Business Associate of instances in which an individual has requested such restrictions promptly after the request has been made.
(k) Business Associate will request, no more than, the minimum necessary amount of Covered Entity PHI required for the performance of Business Associate’s services. Business Associate will comply with the HIPAA Minimum Necessary standard.
(l) Business Associate shall not sell PHI or receive any remuneration in exchange for the use or disclosure of PHI. Business Associate shall not use or disclose PHI for any marketing purpose.
(m) Business Associate shall comply with the requirements of HIPAA that are applicable to business associates, including all regulations that are issued to implement such requirements, as may be amended, modified, or superseded from time to time. To the extent Business Associate carries out one or more of Covered Entity’s obligation(s) under 45 CFR Part 164, Subpart E, in the performance of such obligations, Business Associate shall comply with the requirements of 45 CFR Part 164, Subpart E, that apply to Covered Entity to the same extent as required by Covered Entity. Business Associate shall comply with all applicable state laws that affect the privacy or security of PHI received from Covered Entity.
III. Permitted Uses and Disclosures by Business Associate
(a) Business Associate may use or disclose PHI for or on behalf of, or to provide functions, activities, and services for, or on behalf of, Covered Entity under the relevant Services Agreements, if such use or disclosure of PHI would not violate the Privacy Rule if done by Covered Entity.
(b) Business Associate may use PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate.
(c) Business Associate may disclose PHI for the proper management and administration of the Business Associate, provided that disclosures are Required by Law, or Business Associate obtains reasonable assurances in writing from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
(d) Except as otherwise limited in this BAA, Business Associate may use PHI to provide Data Aggregation services to Covered Entity as permitted by 45 CFR 164.504(e)(2)(i)(B).
(e) Business Associate may use PHI to report violation of law to authority under 45 CFR 164.502(j)(1).
(f) Business Associate is permitted to use or disclose PHI to de-identify PHI and as permitted or required by the Services Agreement, this BAA, or as Required by Law.
IV. Security of Electronic PHI
To the extent that Business Associate creates, receives, maintains or transmits PHI that is maintained or transmitted in electronic form (Electronic PHI) during the term of the Services Agreement(s) and any amendments thereto, Business Associate shall:
(a) Implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the Electronic PHI that it creates, receives, maintains or transmits on behalf of Covered Entity as required by 45 C.F.R. § 164.300 et seq.
(b) Ensure that any agent, including a subcontractor, to whom it provides Electronic PHI agrees in writing to implement reasonable and appropriate safeguards to protect it.
(c) Report to Covered Entity without unreasonable delay, and in no case later than five (5) days after the first day the Security Incident is known, or reasonably should have been known by exercising reasonable diligence, to the Business Associate, including for this purpose any employee, officer, or other agent of the Business Associate (other than the individual committing the Security Incident). Security Incident, as defined in 45 CFR § 164.304, means the attempted or successful unauthorized access, use, disclosure, modification or destruction of information or interference with systems operations in an information system. Notwithstanding the foregoing, Business Associate’s foregoing obligation to report Security Incidents to Covered Entity shall not apply to unsuccessful and commonplace attempts, such as pings, scans, and other typical activity.
(d) Business Associate will comply with the provisions of the Security Rule that are applicable to business associates, including adopting Administrative, Physical and Technical Safeguards for Electronic PHI and corresponding Policies and Procedures.
V. Obligations of Covered Entity
(a) Covered Entity shall provide Business Associate with prompt written notice of any limitations in its notice of privacy practices that Covered Entity produces in accordance with 45 CFR 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI, including, without limitation, any such limitations arising as a result of any changes Covered Entity makes to its notice of privacy practices.
(b) Covered Entity shall provide Business Associate with prompt written notice of any changes in, or revocation of, permission by an Individual to use or disclose PHI, if such changes affect Business Associate's permitted or required use or disclosure of PHI.
(c) Covered Entity shall promptly notify Business Associate in writing of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR 164.522, to the extent such restriction may affect Business Associate’s use or disclosure of PHI.
(d) Covered Entity shall provide Business Associate with prompt written notice of any amendments to PHI in a Designated Record Set in accordance with 45 CFR 164.526.
(e) Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA if done by Covered Entity.
VI. Term and Termination
(a) Term. The Term of this BAA shall commence on the Effective Date, and shall terminate when all of the PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy PHI, protections are extended to such information, in accordance with the termination provisions in this Section.
(b) Covered Entity Termination for Cause. Upon Covered Entity's knowledge of a material breach by Business Associate, Covered Entity shall provide thirty (30) days for Business Associate to cure the breach or end the violation. If Business Associate fails to cure the breach within the time specified, Covered Entity may terminate this BAA immediately. A breach of this BAA constitutes a breach of the Services Agreement.
(c) Business Associate Termination for Cause. Upon Business Associate’s knowledge of a material breach by Covered Entity, Business Associate shall provide thirty (30) days for Covered Entity to cure the breach or end the violation. If Covered Entity fails to cure the breach within the time specified, Business Associate may terminate this BAA immediately. A breach of this BAA constitutes a breach of the Services Agreement.
(d) Effect of Termination. Upon termination of this BAA for any reason, Business Associate shall return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity. This provision shall apply to PHI that is in the possession of subcontractors or agents of Business Associate. Business Associate shall retain no copies of the PHI. In the event that Business Associate determines that returning or destroying the PHI is infeasible, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction infeasible. Upon mutual agreement of the Parties that return or destruction of PHI is infeasible, Business Associate shall extend the protections of this BAA to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI.
VII. Miscellaneous
(a) Regulatory References. A reference in this BAA to a section in any statute, rule, or regulation means the section as in effect or as amended, and for which compliance is required.
(b) Amendment. The parties agree to take such action as is necessary to amend this BAA from time to time as is necessary for the parties to comply with the requirements of HIPAA. Any amendment to this BAA must be in writing and signed by Business Associate and Covered Entity.
(c) Survival. The respective rights and obligations of Business Associate which by their terms are designed to survive termination or expiration of this BAA shall survive the termination or expiration of this BAA.
(d) Interpretation. Any ambiguity in this BAA shall be resolved in favor of a meaning that permits the parties to comply with the Privacy Rule. In the event the terms of this BAA conflict with the terms of the Services Agreement, the terms of this BAA shall control with respect to the subject matter hereof.
(e) Notices. All notices pertaining to this BAA shall be sent by certified mail, delivered by courier, or sent via overnight mail (via a nationally recognized delivery service such as DHL, Fed Ex, UPS, etc.) to a party at the addresses listed in the Services Agreement or to such other address as the parties may agree. All notices shall be effective as of the date of delivery.
(f) Assignment. Either party shall have the right to assign this BAA to an affiliate or successor or assignee of the Services Agreement.
(g) Application to Subcontractors. To the extent that Business Associate is permitted by the Services Agreement to engage agents or subcontractors in connection with its services to Covered Entity, Business Associate will ensure that such subcontractors comply with the applicable requirements of this BAA to the extent such agents or subcontractors create, receive, maintain or transmit Personal Health Information for or on behalf of Business Associate. Business Associate will promptly report any material failure of an applicable agent or subcontractor to comply with this BAA, in writing.
(j) Counterparts. This BAA may be executed in multiple counterparts, each of which shall constitute an original and all of which together shall constitute but one agreement.
(k) Entire Agreement. This BAA constitutes the entire agreement between the parties with respect to the matters contemplated herein and supersedes all previous and contemporaneous oral and written negotiations, commitments, and understandings relating thereto.
IN WITNESS WHEREOF, the parties have executed this Agreement as of the dates set forth below.
Covered Entity Business Associate
ImageMoverMD, Inc.
By: By:
Name: Name:
Title: Title:
Date: Date: