This HIPAA Business Associate Agreement (“BAA”) is incorporated as Exhibit A into the Commonly Well Subscription and Services Agreement, entered into by and between Commonly Well, PBC, a Delaware public benefit corporation, with its principal place of business at 3 College Park Road, Potsdam, NY 13676 (“CW”) and CUSTOMER NAME, with its principal place of business at ADDRESS (“Customer”), effective as of DATE, (the “Agreement”).
In accordance with the Agreement, CW will provide certain services (“Services”) to Customer, making CW a Business Associate (as defined below) to Customer. In providing the Services to Customer, CW may, therefore, access, store, send, or receive Protected Health Information or PHI (as defined below) on Customer’s behalf.
By executing this BAA, CW and Customer intend to protect the privacy and provide for the security of PHI in compliance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, and the privacy, security, breach notification and enforcement regulations promulgated to implement HIPAA and HITECH (collectively, the “HIPAA Laws”).
In the event of a conflict between the terms of the Agreement and this BAA, the provisions of this BAA will control with respect to PHI only. Any ambiguity in this BAA shall be interpreted to be in compliance with the HIPAA Laws. All other terms and provisions of the Agreement shall continue to apply except in the event of a conflict.
In consideration of the foregoing recitals and other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the parties agree as follows:
1. DEFINITIONS. The following terms used in this BAA have the same meaning as those terms in the HIPAA Laws: Breach, Business Associate, Covered Entity, Data Aggregation, Notice of Privacy Practices, Protected Health Information (or “PHI”), Security Incident and Unsecured PHI. All other capitalized terms not defined herein shall have the meaning provided to them in the Agreement.
2. OBLIGATIONS AND ACTIVITIES OF COMMONLY WELL.
2.1 Scope of Obligations and Compliance. CW acknowledges and agrees that all PHI that is created for or received from Customer shall be subject to this BAA. CW agrees to comply with all HIPAA Laws applicable to the use and disclosure of such PHI by CW. CW may not use or further disclose PHI other than as permitted or required by the Agreement and this BAA.
2.2 Permitted Uses and Disclosures by CW. CW may use and disclose PHI as follows:
(a) As permitted under the Agreement and this BAA, or as permitted or required by law;
(b) For the proper management and administration of CW or to carry out the legal responsibilities of CW, so long as: (i) CW obtains reasonable assurances from the person to whom the PHI is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person; and (ii) the person notifies CW of any instances of which it is aware in which the confidentiality of the PHI has been compromised or used or disclosed in violation of this BAA;
(c) In CW’s capacity as a Business Associate under the Agreement and this BAA;
(d) To provide Data Aggregation services related to the health care operations of a Covered Entity; and
(e) To de-identify PHI in accordance with HIPAA standards for de-identification set out at 45 C.F.R. § 164.514(b). To the extent CW does de-identify PHI consistent with such HIPAA standards, the parties agree that such information is no longer subject to the HIPAA Laws, and CW may use and disclose this de-identified information for its own purposes.
2.3 Safeguards. CW shall use appropriate safeguards under the HIPAA Laws to prevent use or disclosure of PHI other than as provided for by the Agreement and this BAA.
2.4 Contractors. CW shall, in accordance with 45 C.F.R. § 164.502(e)(1)(ii), ensure that any of its contractors that create, receive, maintain, or transmit PHI on behalf of Customer agree to materially the same restrictions and conditions that apply to CW with respect to such PHI.
2.5 Notification of PHI Disclosure. CW shall report to Customer any use or disclosure of PHI not provided for by the Agreement or this BAA of which CW becomes aware. CW shall also report to Customer any Security Incident information of which it becomes aware; provided, however, that CW will not be required to advise Customer of routine network traffic and administrative notifications. In addition, and without unreasonable delay and in no case later than 60 calendar days after discovery of any Breach of Unsecured PHI, CW shall report to Customer any such Breaches of Unsecured PHI consistent with 45 C.F.R. § 164.410.
2.6 Access to Information. No later than 30 days after receipt of a request, CW shall make PHI available to Customer in compliance with 45 C.F.R. § 164.524.
2.7 Amendments. No later than 60 days after receipt of a request, CW shall make PHI available to Customer for amendment in compliance with 45 C.F.R. § 164.526.
2.8 Accounting of Disclosures. No later than 60 days after receipt of a request, CW shall make available to Customer the information necessary to provide an accounting of disclosures in compliance with 45 C.F.R. § 164.528.
2.9 Carrying Out Covered Entity Obligations. To the extent to which CW carries out a Covered Entity’s obligations under the HIPAA Laws and the Agreement or this BAA, CW shall comply with the HIPAA Laws that apply to Covered Entity in the performance of such obligations. Notwithstanding anything to the contrary, however, any such obligations will be undertaken only at the instruction of Customer, and Customer shall be responsible for confirming that any such obligations comply with the HIPAA Laws.
2.10 Access to Internal Records. CW shall make its internal practices, books, and records relating to the use and disclosure of PHI under this BAA available to the Secretary of the United States Department of Health and Human Services for purposes of determining a Covered Entity’s compliance with the HIPAA Laws, if and only to the extent that such obligation cannot be met by Customer.
3. OBLIGATIONS OF CUSTOMER. Customer shall not request or cause CW to use or disclose PHI, whether through the Services or otherwise, in any manner that is not permissible under the HIPAA Laws.
4. TERM AND TERMINATION.
4.1 Term. The term of this BAA shall be the same as that of the Agreement.
4.2 Termination. This BAA shall terminate upon any termination or expiration of the Agreement. In addition, if CW materially violates this BAA, Customer may terminate the Agreement and this BAA upon written notice to CW; provided, however, that Customer shall first notify CW of the potential violation and provide CW with an opportunity to confirm that no violation has occurred or to cure such violation within 30 business days. If CW does not confirm that no violation has occurred to CW’S reasonable satisfaction or cure the violation within 30 business days, Customer may terminate this BAA by written notice to CW.
4.3 Obligations of CW Upon a Termination. Upon termination or expiration of this BAA for any reason, CW shall, if feasible, return to Customer, or destroy, all PHI under this BAA that CW still maintains in any form, and CW shall not retain copies of such information. However, if return or destruction is not feasible, CW may retain such PHI, and CW agrees to continue using appropriate safeguards and comply with the HIPAA Laws as applicable to any retained PHI. The terms of this BAA shall survive for so long as CW holds or has access to such PHI.
5. QUALIFIED SERVICE ORGANIZATION AGREEMENT. The parties agree that if and only to the extent CW acts as a Qualified Service Organization as defined by 42 C.F.R. Part 2 (“Part 2”) to Customer, CW shall comply with the following additional terms:
(a) CW acknowledges that in receiving, storing, processing or otherwise dealing with any patient substance abuse records subject to the obligations of Part 2, it is fully bound by the requirements of Part 2; and
(b) If legally necessary, CW will resist in judicial proceedings any efforts to obtain access to such patient substance abuse records, except as permitted by Part 2. Notwithstanding anything to the contrary, however, Customer shall bear any cost or expense incurred by CW as a result of this Section 5(b).
6. ADDITIONAL TERMS. The parties agree to take such action to amend this BAA as necessary for compliance with the HIPAA Laws.
7. SIGNATURE. The parties acknowledge and agree that signature to the Agreement shall constitute all necessary signatures for this BAA.
[REMAINDER OF THIS PAGE INTENTIONALLY LEFT BLANK]