Business Associate Agreement
You (“Covered Entity”) and Lightning Step Technologies, LLC DBA ZenCharts (“Business Associate”) hereby enter into this Business Associate Agreement (“Agreement”) for purposes of compliance with federal law, as set forth below.
Recitals
WHEREAS, pursuant to the contractual relationship between the parties, Covered Entity may provide Business Associate with Protected Health Information (“PHI”), and Business Associate may create or receive PHI from other sources, so that Business Associate may perform its responsibilities pursuant to its underlying agreement(s) with and on behalf of Covered Entity.
WHEREAS, Covered Entity and Business Associate intend to protect the privacy of PHI and provide for the security of any electronic PHI received from Covered Entity, or created or received by Business Associate on behalf of the Covered Entity, in compliance with the Administrative Simplification portion of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”); in compliance with regulations promulgated pursuant to HIPAA, at 45 CFR, Parts 160 and 164; and in compliance with applicable provisions of the Health Information Technology for Economic and Clinical Health Act, as incorporated in the American Recovery and Reinvestment Act of 2009 (the “HITECH Act”) and any applicable regulations and/or guidance issued by the U.S. Department of Health and Human Services (“DHHS”) with respect to the HITECH Act.
WHEREAS, federal regulations promulgated pursuant to HIPAA, at 45 CFR § 164.314, 45 CFR § 164.502(e), and 45 CFR § 164.504(e) require Covered Entity, as a Covered Entity under HIPAA, to enter into written agreements with all Business Associates.
WHEREAS, for good and lawful consideration as set forth in the underlying agreement between the parties, Covered Entity and Business Associate enter into this agreement for the purpose of ensuring compliance with the requirements of HIPAA and the HITECH Act, and implementing regulations and/or guidance;
NOW THEREFORE, in consideration of the mutual covenants contained herein, the parties agree as follows:
- Definitions
For purposes of this Agreement, the following terms used in this Agreement shall have the same meaning as those terms in the HIPAA Rules: Data Aggregation, Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Subcontractor, Unsecured Protected Health Information, and Use, and the following specific definitions apply to this Agreement:
- Breach. “Breach” has the same meaning as provided in 45 CFR § 164.402.
- Business Associate. “Business Associate” shall generally have the same meaning as the term “Business Associate” at 45 CFR § 160.103, and in reference to the party to this agreement means the individual or entity identified as Business Associate in the first paragraph of this Agreement, and includes all employees, subcontractors, and agents of Business Associate.
- Covered Entity. “Covered Entity” shall generally have the same meaning as the term “Covered Entity” at 45 CFR § 160.103, and in reference to the party to this agreement means the individual or entity identified as Covered Entity in the first paragraph of this Agreement.
- Designated Record Set. “Designated Record Set” has the same meaning provided in 45 CFR § 164.501.
- Electronic Protected Health Information. “Electronic Protected Health Information” or “Electronic PHI” has the same meaning as provided in 45 CFR § 160.103, limited to the electronic information created, maintained, or received by Business Associate from or on behalf of Covered Entity.
- HIPAA Rules. “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR, Part 160 and Part 164, along with all final rules promulgated pursuant to HIPAA and the HITECH Act relating to HIPAA.
- Individual. “Individual” has the same meaning provided in 45 CFR § 160.103 and includes a person who qualifies as a personal representative in accordance with 45 CFR § 164.502(g).
- Limited Data Set. “Limited Data Set” has the same meaning provided in 45 CFR § 164.514(e)(2).
- Non-permitted Disclosure. “Non-permitted Disclosure” means a disclosure, as defined in 45 CFR § 160.103, that is not permitted by this Agreement.
- Privacy Rule. “Privacy Rule” means the Standards for Privacy of Individually Identifiable Health Information at 45 CFR, Parts 160 and 164, Subparts A and E.
- Protected Health Information (PHI). “Protected Health Information” or “PHI” has the same meaning provided in 45 CFR § 160.103, limited to the information created, maintained, or received by Business Associate from or on behalf of Covered Entity.
- Required by Law. “Required by Law” has the same meaning provided in 45 CFR § 164.103.
- Secretary. “Secretary” means the Secretary of the Department of Health and Human Services or the Secretary’s designee.
- Security Incident. “Security Incident” has the same meaning provided in 45 CFR § 164.304.
- Security Rule. “Security Rule” means the Security Standards for the Protection of Electronic Protected Health Information at 45 CFR Part 164, Subpart C.
- Successful Security Incident. “Successful Security Incident” means a Security Incident that results in unauthorized access, use, disclosure, modification, or destruction of PHI or Electronic PHI. For purposes of example and without limiting the term, Successful Security Incident does not include Security Incidents where there is no unauthorized access, use, disclosure, modification, or destruction of PHI or Electronic PHI, such as pings on Business Associate’s firewall, port scans, attempts to log onto a system or enter a database with an invalid username or password, denial-of-service attacks that do not result in the system being taken offline, or malware such as worms or viruses.
- Unsecured Protected Health Information. “Unsecured Protected Health Information” has the same meaning provided in 45 CFR § 164.402.
Obligations and Activities of Business Associate
- Business Associate acknowledges and agrees that it is obligated by law to comply with HIPAA, HIPAA Rules, and the provisions of the HITECH Act applicable to Business Associates (or upon the effective date of any portion thereof shall be so obligated), and such provisions are incorporated herein and made a part of this Agreement. Covered Entity and Business Associate agree that any regulations issued by DHHS with respect to the HITECH Act that relate to the obligations of Business Associates shall be deemed incorporated into and made a part of this Agreement. Business Associate agrees not to use or disclose PHI other than as permitted or required by this Agreement or as Required by Law.
- Business Associate agrees to develop, implement, maintain, and use appropriate administrative, technical, and physical safeguards that reasonably and appropriately prevent the use or disclosure of PHI, other than as permitted by this Agreement, including, but not limited to, complying with Subpart C of 45 CFR, Part 164, with respect to electronic Protected Health Information.
- Business Associate will, in accordance with 45 CFR § 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any subcontractors that create, receive, maintain, or transmit Protected Health Information on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information. (For example, Business Associate will ensure that any agent, including a vendor or subcontractor to whom it provides PHI, agrees to implement reasonable and appropriate safeguards to ensure the confidentiality, integrity, and availability of the PHI.)
- At the request and direction of Covered Entity, the Business Associate shall make available Protected Health Information in a designated record set to either Covered Entity or an Individual or the Individual’s designee, as necessary and in a time and manner that is sufficient to satisfy Covered Entity’s obligations under 45 CFR § 164.524, and, where Required by Law, shall make such information available in an electronic format where directed by Covered Entity. In the case an Individual makes a request for access to information directly to the Business Associate, the Business Associate shall provide access to the Individual within the same time frame and same manner as would be required of the Covered Entity under law or, in the alternative, the Business Associate shall forward the Individual’s request to the Covered Entity within ten (10) business days of the request, in order for the Covered Entity to respond to the request.
- Business Associate shall make any amendment(s) to Protected Health Information in a designated record set as directed or agreed to by the Covered Entity pursuant to 45 CPR § 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 CPR § 164.526. If the Business Associate receives a request for amendment directly from the Individual, the Business Associate shall make any amendments to the information in the designated record set within the same time frame and same manner as would be required of the Covered Entity under law or, in the alternative, the Business Associate shall forward the Individual’s request for amendment(s) to the Covered Entity within five (5) business days of the request, in order for the Covered Entity to incorporate any amendments to the information in the designated record set.
- Business Associate shall make any amendment(s) to Protected Health Information in a designated record set as directed or agreed to by the Covered Entity pursuant to 45 CPR § 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 CPR § 164.526. If the Business Associate receives a request for amendment directly from the Individual, the Business Associate shall make any amendments to the information in the designated record set within the same time frame and same manner as would be required of the Covered Entity under law or, in the alternative, the Business Associate shall forward the Individual’s request for amendment(s) to the Covered Entity within five (5) business days of the request, in order for the Covered Entity to incorporate any amendments to the information in the designated record set.
- Business Associate agrees to make its internal practices, books, and records, including policies and procedures, and any PHI relating to the use and disclosure of PHI, available to the Secretary (including the Secretary’s designee) for purposes of determining compliance with this Agreement and/or applicable law. Business Associate will provide such access in a time and manner that is sufficient to meet any applicable requirements of applicable law.
- Business Associate agrees to document and maintain a record of disclosures of PHI and information related to such disclosures in a manner that is sufficient for Covered Entity or Business Associate to respond to a request by Covered Entity or an Individual for an accounting of disclosures of PHI and in accordance with 45 CPR § 164.528. Such documentation and record are referred to in this Agreement as an “Accounting.” Business Associate further shall provide any additional information where required by the HITECH Act and any implementing regulations. Business Associate will maintain the Accounting with respect to each disclosure of PHI as that term is defined by the HIPAA Rules, of PHI made by Business Associate for at least six (6) years or the time frame required of the HIPAA Rules for Covered Entities and/or Business Associates, whichever is longer, to maintain such information.
- The Business Associate shall maintain and make available the information required to provide an Accounting of disclosures to the Covered Entity within fifteen (15) days after the Covered Entity’s request for an Accounting of such disclosures, or another time frame agreed upon by the parties, in order for the Covered Entity to satisfy Covered Entity’s obligations under 45 CPR 164. In addition, where Business Associate is contacted directly by an Individual for an Accounting of disclosures, based upon information provided to the Individual by Covered Entity, and where so required by the HITECH Act and/or any implementing regulations, Business Associate shall make such Accounting available directly to the Individual within the time frame required under applicable law.
- When using or disclosing PHI, or when requesting PHI from or on behalf of Covered Entity, Business Associate shall, where required by the HITECH Act, utilize a Limited Data Set, if practicable. Otherwise, Business Associate agrees to make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request in accordance with, and unless excepted from, the minimum necessary limitation in 45 CFR § 164.502(b). Where required by the HITECH Act, Business Associate shall determine what constitutes the minimum necessary to accomplish the intended purpose of a disclosure.
- Business Associate shall not directly or indirectly receive remuneration in exchange for any PHI of an Individual, except as permitted by any applicable provisions of HIPAA and the HITECH Act, and specifically agreed to in writing by Covered Entity. Business Associate agrees to promptly report to Covered Entity any use or disclosure of PHI that is not permitted by this Agreement of which the Business Associate becomes aware.
- Business Associate agrees to promptly report to Covered Entity any Successful Security Incident of which Business Associate becomes aware. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate, of a use or disclosure of PHI by Business Associate in violation of the requirements of this Agreement or of a Successful Security Incident.
- In addition to the requirements of Subsection (j), Business Associate will report to Covered Entity, following discovery and without unreasonable delay, but in no event later than five (5) business days following discovery, any use or disclosure of Protected Health Information not provided for by the Agreement of which it becomes aware, including Breaches of unsecured Protected Health Information, as required at 45 CFR § 164.410, and any security incident of which it becomes aware.
- Business Associate shall cooperate with Covered Entity in investigating the Breach and in meeting Covered Entity’s obligations under the HITECH Act and any other applicable security Breach notification laws, including but not limited to providing Covered Entity with such information in addition to Business Associate’s report as Covered Entity may reasonably request.
- For purposes of this Subsection, discovery of a Breach by Business Associate shall be deemed to have occurred as of the first day on which such Breach is known to the Business Associate or, by exercising reasonable diligence, would have been known to the Business Associate. Business Associate shall be deemed to have knowledge of a Breach if the Breach is known, or, by exercising reasonable diligence would have been known, to any person other than the person committing the Breach who is an employee, officer, or other agent of Business Associate.
- Business Associate’s report under this Subsection shall, to the extent available at the time the initial report is required (i.e., no later than five (5) business days following discovery of the Breach), or as promptly thereafter as such information becomes available, but in no event later than thirty (30) days following discovery of the Breach, include:
- The identification (if known) of each Individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, acquired, accessed, used, or disclosed during such Breach;
- A description of the nature of the unauthorized acquisition, access, use, or disclosure, including the date of the Breach and the date of discovery of the Breach;
- A description of the type of Unsecured PHI acquired, accessed, used or disclosed in the Breach (e.g., name, social security number, etc.);
- The identity of the individual(s) or entity (ies) who received the unauthorized acquisition, access, use, or disclosure;
- A description of what the Business Associate is doing to investigate the Breach, to mitigate losses, and to protect against any further Breaches; and Contact information for Business Associate’s representatives knowledgeable about the Breach.
- Business Associate shall maintain (for a period of six (6) years after such determination) documentation to demonstrate the basis for any determination by the Business Associate that a non-permitted acquisition, access, use, or disclosure that compromises security or privacy of the PHI is not a Breach because:
- As provided in 45 CFR § 164.402(1)(i), it is an unintentional acquisition, access, or use of Protected Health Information by a workforce member or person acting under the authority of Business Associate, and such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted in Subpart E of 45 CFR, Part 164.
- As provided in 45 CFR § 164.402(1)(ii), it is inadvertent disclosure by a person who is authorized to access PHI by the Business Associate to another person authorized to access Protected Health Information by the same Business Associate, or organized health care arrangement in which Covered Entity and/or Business Associate participates, and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted by Subpart E of 45 CFR, Part 164.
- As provided in 45 CFR § 164.402(1)(iii), the Business Associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.
The Business Associate’s documentation kept pursuant to above, should acknowledge that, except as provided above (pursuant to 45 CFR § 164.402(1)), an acquisition, access, use, or disclosure of Protected Health Information in a manner not permitted under Subpart E of 45 CFR, Part 164, is presumed to be a Breach and, unless the non-permitted acquisition, access, use, or disclosure fits one of the exceptions in Subsection 2k(iii),(a-c), the Business Associate’s documentation kept pursuant to this section must demonstrate and show that there is a low probability that the PHI was compromised based on a detailed risk assessment made of at least the following factors:
-
- The nature and extent of the Protected Health Information involved, including the types of identifiers and the likelihood of re-identification;
- The unauthorized person who used the Protected Health Information or to whom the disclosure was made;
- Whether the Protected Health Information was actually acquired or viewed; and
- The extent to which the risk to the Protected Health Information has been mitigated.
The Business Associate shall, to the extent the Business Associate is to carry out one or more of Covered Entity’s obligation(s) under Subpart E of 45 CFR, Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s).
Permitted Uses and Disclosures by Business Associate
- Business Associate may not use or disclose Protected Health Information in a manner that would violate Subpart E of 45 CFR, Part 164, if done by Covered Entity, except for the specific uses and disclosures as follows:
- Business Associate may use or disclose Protected Health Information as Required by Law.
- Business Associate may use or disclose PHI as necessary to perform functions, activities, or services to or on behalf of Covered Entity under any service agreement(s) with Covered Entity if Business Associate’s use or disclosure of PHI would not violate the Privacy Rule or HITECH Act if done by Covered Entity.
- Business Associate may use Protected Health Information for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate.
- Business Associate may disclose Protected Health Information for the proper management and administration of Business Associate or to carry out the legal responsibilities of the Business Associate, provided the disclosures are Required by Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and used or further disclosed only as Required by Law or for the purposes for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been Breached.
- Business Associate may provide data aggregation services relating to the health care operations of the Covered Entity as permitted by 45 CFR § 164.504(e)(2)(i)(B).
- Business Associate may use PHI to report violations of law to appropriate Federal and State authorities, consistent with 45 CFR § 164.502(j)(1).
- Business Associate agrees to make uses and disclosures and requests for Protected Health Information consistent with Covered Entity’s minimum necessary policies and procedures.
- Business Associate is authorized to use Protected Health Information to de-identify the information in accordance with 45 CFR 164.514(a-c).
Obligations of Covered Entity
- Covered Entity will notify Business Associate of any limitations on uses or disclosures described in its notice of privacy practices (“NPP”) in accordance with 45 CFR § 164.520(b )(2) or required by the HITECH Act, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI.
- Covered Entity will notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose PHI, to the extent that such changes or revocation may affect Business Associate’s use or disclosure of PHI.
- Covered Entity will notify Business Associate of any restriction of the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR § 164.522 or that applies pursuant to the HITECH Act, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.
- Covered Entity will notify Business Associate of any alternative means or locations for receipt of communications by an Individual which must be accommodated or permitted by Covered Entity pursuant to 45 CFR § 164.522, to the extent that such alternative means or locations may affect Business Associate’s use or disclosure of PHI.
- Except as otherwise provided in this Agreement, Covered Entity shall not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under Subpart E of 45 CFR, Part 164, if done by Covered Entity.
Term, Termination, and Breach
This Agreement is effective when fully executed and will terminate when all PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity.
Upon a determination by either party that the other party to this Agreement has committed a violation or material breach of this Agreement, the non-breaching party may take any one or more of the following steps:
- Provide written notice of the violation or breach to the breaching party, and if the party does not cure the breach or end the violation within thirty (30) days after mailing of notice, terminate this Agreement;
- Immediately terminate this Agreement if the breach is material, and cure of the material breach is not possible; or,
- If neither termination nor cure is feasible, elect to continue this Agreement and report the violation or material breach to the Secretary.
Obligations of Business Associate Upon Termination
Upon termination of this Agreement for any reason, Business Associate, with respect to Protected Health Information received from Covered Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity, shall:
- Retain only that Protected Health Information which is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities;
- Return or destroy, at the discretion of Covered Entity, all PHI received from Covered Entity or created or received by Business Associate on behalf of Covered Entity, and upon request by Covered Entity, certify such destruction and return in writing. This provision will also apply to PHI that is in the possession of employees, subcontractors, or agents of Business Associate. Except as set forth in (6)(a)(i), above, neither Business Associate nor any employee, subcontractor, or agent of Business Associate will retain copies of the PHI. If Business Associate determines that returning or destroying the PHI, as directed by Covered Entity, is not feasible, Business Associate will notify Covered Entity of the circumstances making return or destruction infeasible. If Covered Entity agrees that return or destruction is infeasible, then this Agreement will remain in effect with respect to such PHI, and Business Associate will limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI.
- Continue to use appropriate safeguards and comply with Subpart C of 45 CFR, Part 164, with respect to electronic Protected Health Information to prevent use or disclosure of the Protected Health Information, other than as provided for in this Section, for as long as Business Associate retains the Protected Health Information;
- Not use or disclose the Protected Health Information retained by Business Associate other than for the purposes for which such Protected Health Information was retained and subject to the same conditions set out at Section 3, above, under “Permitted Uses and Disclosures By Business Associate,” which applied prior to termination; and
- Return to Covered Entity or, if agreed to by Covered Entity, destroy the Protected Health Information retained by Business Associate when it is no longer needed by Business Associate for its proper management and administration, or to carry out its legal responsibilities.
- Transmittal of PHI to Other Business Associate of Covered Entity: Upon termination, if requested by Covered Entity, Business Associate shall transmit the PHI to another Business Associate of the Covered Entity at termination.
- Subcontractors of Business Associate: Upon termination, Business Associate shall obtain or ensure the destruction of Protected Health Information created, received, or maintained by its subcontractors as a consequence of, or arising out of, this Agreement.
- Survival of Business Associate’s Obligations in Section. The obligations of Business Associate under this Section shall survive the termination of this Agreement.
Miscellaneous
- Regulatory References. A reference in this Agreement to a section in the HIPAA Rules means the section as in effect or as amended.
- Amendment. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for compliance with the requirements of the HIPAA Rules and any other applicable law.
- Interpretation. Any ambiguity in this Agreement shall be interpreted to permit compliance with the HIPAA Rules.
- Survival of Other Rights and Obligations of Business Associate. Notwithstanding the expiration or termination of this Agreement or any renewal period, it is acknowledged and agreed that those rights and obligations of Business Associate which by their nature are intended to survive such expiration or termination shall survive.
- Conflict. In the event the terms of this Agreement conflict with the terms of any other agreement between Covered Entity and Business Associate, then the terms of this Agreement shall control.
Notice.
Notices and requests provided for under this Agreement will be made to the Business Associate at:
ZenCharts
5757 Woodway Dr., Suite 278
Houston, TX 77057
Except as expressly otherwise provided by law, nothing in this Agreement provides or is intended to provide any benefit to any third party. Each party will indemnify and hold harmless the other party, its subsidiaries and affiliates and any officer, director, employee, or agent from and against any claim or liability, including attorney’s fees and costs, arising out of or in connection with the party’s or the party’s employee’s, agent’s, or subcontractor’s violation of the terms of this Agreement, HIPAA, the HITECH Act, or the Privacy Rule or other implementing regulations or guidance.
Business Associate agrees to pay the reasonable costs incurred by Covered Entity arising from or related to addressing any Breach by Business Associate, including but not limited to investigation, notification, and credit monitoring services.
Any ambiguity in this Agreement shall be resolved to permit the parties to comply with the HITECH Act, HIPAA, the Privacy Rule, the Security Rule, and other implementing regulations and guidance.
This Agreement shall replace and supersede any prior Business Associate Agreement between the parties.