HIPAA Business Associate Agreement
If Customer is a Covered Entity or Business Associate, Customer Data includes Protected Health information, and Prescryptive is providing Services as a Business Associate, the terms of this HIPAA Business Associate Agreement (this “BAA”) shall be incorporated into that Prescryptive customer agreement (the “Related Agreement”) between Prescryptive and Customer.
1. Definitions. Capitalized terms not defined herein shall have the meaning set forth in the Related Agreement.
- (a) “Covered Entity” shall have the same meaning as the term “Covered Entity” in 45 C.F.R. § 160.103 of HIPAA.
- (b) “Breach” shall have the same meaning as the term “breach” in 45 C.F.R. § 164.402.
- (c) “Breach Notification Rule” means the Breach Notification for Unsecured Protected Health Information Final Rule.
- (d) “Business Associate” shall have the same meaning as the term “Business Associate” in 45 C.F.R. § 160.103 of HIPAA.
- (e) “Designated Record Set” shall have the same meaning as the term “designated record set” in 45 C.F.R. § 164.501.
- (f ) “Electronic Protected Health Information” shall mean Protected Health Information that is transmitted by or maintained in electronic media as defined in 45 C.F.R. § 160.103.
- (g) “HIPAA” shall mean the Health Insurance Portability and Accountability Act of 1996 enacted by the United States Congress and its implementing regulations promulgated thereunder, as amended from time to time, including the Privacy Rule, the Breach Notification Rule, and the Security Rule as amended from time to time, including by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, and by the Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the HITECH Act and the Genetic Information Nondiscrimination Act; Final Rule.
- (h) “Individual” shall have the same meaning as the term “individual” in 45 C.F.R. § 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. § 164.502(g).
- (i) “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. Part 160 and Part 164, Subparts A and E, as they may be amended from time to time.
- (j) “Protected Health Information” shall have the same meaning as given this term in 45 C.F.R. § 160.103 of HIPAA, provided that it is limited to such protected health information that is received by Prescryptive from, or created, received, maintained, or transmitted by Prescryptive on behalf of, Customer. For purposes of this BAA, Protected Health Information does not include health information that has been de-identified in accordance with the standards for de-identification set forth in the Privacy Rule.
- (k) “Required by Law” shall mean a legal mandate as described under 45 C.F.R. § 164.103 that compels an entity to use or disclose of Protected Health Information and that is enforceable in a court of law (including, but not limited to, court orders and court-ordered warrants, a summons issued by a court or grand jury, and subpoenas which have been issued in accordance with the notice, qualified protective order and other procedures described in 45 C.F.R. § 164.512(e)).
- (l) “Secretary” shall mean the Secretary of the U.S. Department of Health and Human Services or his or her designee.
- (m) “Security Incident” shall have the same meaning as the term “security incident” in 45 C.F.R. § 164.304.
- (n) “Security Rule” shall mean the standards for the security of Electronic Protected Health Information at 45 C.F.R. Part 164, Subpart C, as amended from time to time.
- (o) “Unsecured Protected Health Information” shall have the same meaning as the term “unsecured protected health information” in 45 C.F.R. § 164.402, and guidance promulgated thereunder.Capitalized terms used in this BAA and not otherwise defined herein shall have the meanings set forth in the Privacy Rule, the Security Rule, and the HIPAA Final Rule, which definitions are incorporated in this BAA by reference.
2. Permitted Uses and Disclosures by Prescryptive.
- (a) Performance of the Related Agreement(s). Except as otherwise limited in this BAA, Prescryptive may use or disclose Protected Health Information to perform functions, activities, or services for, or on behalf of, Customer as specified in the Related Agreement, provided that such use or disclosure would not violate the Privacy Rule if carried out by Customer, unless expressly permitted under paragraph (b) of this Section.
- (b) Management, Administration, and Legal Responsibilities. Except as otherwise limited in this BAA, Prescryptive may use and disclose Protected Health Information for the proper management and administration of Prescryptive and/or to carry out the legal responsibilities of Prescryptive, provided that any disclosure may occur only if (1) Required by Law; or (2) Prescryptive obtains written reasonable assurances from the person to whom the Protected Health Information is disclosed that it will be held confidentially and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and the person notifies Prescryptive of any instances of which it becomes aware in which the confidentiality of the Protected Health Information has been breached. Notwithstanding anything to the contrary, Prescryptive may use Protected Health Information to report violations of law to appropriate Federal and State authorities, consistent with 45 C.F.R. § 164.502(j)(1).
- (c) Data Aggregation. Except as otherwise limited in this BAA, Prescryptive may use Protected Health Information to provide Data Aggregation services for Health Care Operations of Customer as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B).
- (d) De-identified Data. Prescryptive may de-identify Protected Health Information in accordance with the standards set forth in 45 C.F.R. § 164.514(b) and may use or disclose such de-identified data unless prohibited by applicable law.
- (e) Limitations. Prescryptive shall not violate the HIPAA prohibition on the sale of Protected Health Information. Prescryptive shall make reasonable efforts to use, disclose, and/or request the minimum necessary Protected Health Information to accomplish the intended purpose of such use, disclosure or request.
3. Responsibilities with Respect to Protected Health Information.
- (a) Prescryptive’s Responsibilities. To the extent Prescryptive is acting as a Business Associate, Prescryptive agrees to the following:
- Prescryptive shall not use or disclose Protected Health Information except as permitted or required by the Related Agreement(s) and/or this BAA (inclusive of Exhibit 1 (Designated Business Associates)) or as otherwise Required by Law;
- Prescryptive shall not use or disclose Protected Health Information unless such use or disclosure, respectively, is in compliance with each applicable requirement of 45 C.F.R. § 164.504(e);
- Prescryptive shall (1) use reasonable and appropriate safeguards to prevent inappropriate use or disclosure of Protected Health Information other than as provided for by this BAA, and (2) maintain compliance with 45 C.F.R. Part 164, Subpart C, and as required by the HITECH Act;
- Prescryptive shall not disclose Protected Health Information received from Customer, or created or received by Prescryptive on behalf of Customer, to any person or entity, including any agent or subcontractor of Prescryptive (but not including a member of Prescryptive’s own workforce), until such person or entity agrees in writing to be bound by terms substantially consistent with the provisions of this BAA and applicable state or Federal law;
- If Prescryptive maintains Protected Health Information in a “designated record set” for Customer, then Prescryptive shall, within 30 days of a written request by Customer on behalf of an Individual or by an Individual who is the subject of Protected Health Information, make access to such to such information available to Customer or the Individual in accordance with 45 C.F.R. § 164.524 of the Privacy Rule; provided, however, that Prescryptive is not required to provide such access where the Protected Health Information contained in a designated record set is duplicative of the Protected Health Information contained in a designated record set possessed by Customer.
- If Prescryptive maintains Protected Health Information in a “designated record set” for Customer, then Prescryptive shall, within 60 days of a written request by Customer on behalf of an Individual or by an Individual who is the subject of Protected Health Information, make any amendment(s) to such Protected Health Information that may be requested or agreed to by the Individual pursuant to the amendment requirements under 45 C.F.R. § 164.526;
- Prescryptive shall make internal practices, books, and records, including policies and procedures and Protected Health Information, relating to the use and disclosure of Protected Health Information received from, or created or received on behalf of Customer available to the Secretary promptly or in the time and manner designated by the Secretary for purposes of determining Customer’s compliance with the HIPAA, subject to attorney-client and other applicable legal privileges;
- Prescryptive will mitigate to the extent reasonably practicable a harmful effect that is known to Prescryptive of a use or disclosure of Protected Health Information by Prescryptive that is not permitted by this BAA.
- Prescryptive shall maintain a record of each disclosure of Protected Health Information by Prescryptive or its employees, agents, representatives or subcontractors in each case to the extent required in order for Customer to meet the accounting requirements of 45 C.F.R. § 164.528 (listing the date of disclosure, the name and address of the recipient, the subject of the information, a brief description of what was disclosed and the purpose of the disclosure); and to provide a copy of such record to an Individual who is the subject of such information within 60 days of a request, including disclosures made on or after the date that is six (6) years prior to the request or April 14, 2003, whichever is later; and
- Prescryptive shall report to Customer (a) any Use and/or Disclosure of Customer’s Electronic Protected Health Information that is not permitted or required by this BAA of which Prescryptive becomes aware; (b) any Security Incident of which it becomes aware, provided that notice is hereby deemed given for Unsuccessful Security Incidents and no further notice of such Unsuccessful Security Incidents shall be given; and/or (c) any Breach of Customer’s Unsecured Protected Health Information that Prescryptive may discover (in accordance with 45 C.F.R. 1164.410 of the Breach Notification Rule). Notification of a Breach will be made without unreasonable delay, but in no event more than five (5) business days after Prescryptive’s determination of a Breach.For purposes of this Section, “Unsuccessful Security Incidents” mean, without limitation, pings and other broadcast attacks on Prescryptive’s firewall, port scans, unsuccessful log-on attempts, denial of service attacks, and any combination of the above, as long as such incident does not result in unauthorized access, acquisition, Use, or Disclosure of Protected Health Information. Notification(s) under this Section, if any, will be delivered to contacts identified by Customer pursuant to Section 5(a) (Notices) of this BAA by any means Prescryptive selects, including through e‑mail. Prescryptive’s obligation to report under this Section is not and will not be construed as an acknowledgement by Prescryptive of any fault or liability with respect to any Use, Disclosure, Security Incident, or Breach.
- (b) Customer’s Responsibilities.
- Customer shall not request Prescryptive to use or disclose Protected Health Information in any manner that would not be permissible under the Privacy Rule or Security Rule if carried out by Customer.
- Customer will obtain any consent or authorization that may be required by the Privacy Rule, or applicable state law, prior to furnishing Prescryptive with Protected Health Information. Customer will notify Prescryptive of any changes in, or revocation of, permission by an Individual to use or disclose Protected Health Information, to the extent that such changes may affect Prescryptive’s use or disclosure of Protected Health Information. Customer will provide such notice no later than fifteen (15) days prior to the effective date of the change.
- Customer hereby agrees that any reports, notification, or other notice by Prescryptive pursuant to this BAA may be made electronically. Customer shall provide contact information to PSOC@prescryptive.com (or such other location or method of updating contact information as Prescryptive may specify from time to time) and shall ensure that Customer’s contact information remains up to date during the term of this BAA.Contact information must include the name of individual(s) to be contacted, title of individuals(s) to be contacted, e-mail address of individual(s) to be contacted, name of Customer organization, and, if available, Customer’s contract number, Group Number, or subscriber identification number. Failure to submit and maintain as current the aforementioned contact information may delay Prescryptive’s ability to provide Breach notifications under this BAA.
- Customer shall be responsible for implementing appropriate privacy and security safeguards to protect its Protected Health Information in compliance with HIPAA.Without limitation, it is Customer’s obligation to (a) not include Protected Health Information in information Customer submits to technical support personnel through a support request or to community forums. In addition, Prescryptive does not act as, or have the obligations of, a Business Associate under HIPAA with respect to Customer’s data once it is sent to or from Customer outside Prescryptive services over the public Internet, or if Customer fails to follow applicable instructions regarding data transfer or transport; and (b) implement privacy and security safeguards in the systems, applications, and software Customer controls, configures, and uploads into Prescryptive services or uses in connection with Prescryptive services.
4. Term and Termination.
- (a) Term. The Term of this BAA shall commence as of the Effective Date, and shall terminate when all of the Protected Health Information, including Electronic Protected Health Information, provided by Customer to Prescryptive, or created or received by Prescryptive on behalf of Customer, is destroyed or returned to Customer or, if it is unfeasible to return or destroy Protected Health Information, protections shall be extended to such information in accordance with Section 5(d) below.
- (b) Termination for Cause. Upon either party’s discovery of a material breach of this BAA the non-breaching party may, in its sole discretion:
- provide 30 days’ written notice of the breach, providing an opportunity for the breaching party to cure the breach or end the violation to the non-breaching party’s satisfaction within that 30 days; and, if no cure is affected, immediately thereafter terminate this BAA and Related Agreement(s); or
- immediately terminate this BAA and Related Agreement if cure is not possible or if the breaching party has breached a material term of this BAA more than once in a 12-month period.
- (c) Effect of Termination. Except as provided in Section 5(d) below, upon termination of the Related Agreement or this BAA for any reason, Prescryptive shall return or, if requested by Customer, destroy all Protected Health Information received from Customer or created or received by Prescryptive on behalf of Customer, and maintained in any form, if it is feasible to do so. This provision shall also apply to Protected Health Information that is in the possession of subcontractors or agents of Prescryptive. Prescryptive shall retain no copies of the Protected Health Information, except that which is related to any individual who elects to begin or continue receiving services offered by Prescryptive after Prescryptive’s business relationship with Customer has ended. To the extent permitted by law, Prescryptive contacting such individuals to obtain such consent and/or to offer continuation of such services shall not be considered a breach of any of Prescryptive’s obligations under this BAA or any Related Agreement.
- (d) Extension of Protections. If it is infeasible for Prescryptive to return or destroy any Customer Protected Health Information, Prescryptive shall continue to maintain the security and privacy of such Protected Health Information in a manner consistent with the obligations of this BAA and as required by applicable law and shall limit further use of the information to those purposes that make the return or destruction of the information unfeasible. This obligation shall endure for so long as Prescryptive maintains such Protected Health Information, and the duties described hereunder to maintain the security and privacy of Protected Health Information shall survive the termination of this BAA and any Related Agreement.
- (a) Entire Agreement. This BAA, including the Exhibits attached hereto, constitutes the entire agreement between Customer and Prescryptive with respect to the subject matter hereof and supersedes all prior agreements and understandings, both written and oral, between Prescryptive and Customer with respect to the subject matter thereof.
- (b) Notices. Except as provided under Section 3 (Responsibilities with Regard to Protected Health Information) any notice provided for in this BAA and any other notice, demand or communication required or permitted to be given under this BAA or which any party may wish to send to another (“Notice”) shall be in writing and shall be served by (i) personal delivery; (ii) registered or certified U.S. Mail, or by comparable private carrier, First Class, return receipt requested in a sealed envelope, postage or other charges prepaid; or (iii) telegram, telecopy, facsimile, telex or other similar form of communication, addressed to the party for whom the Notice is intended as provided in the Related Agreement.All Notices given pursuant to this Section 5(a) shall be deemed given and effective when received if personally delivered or sent by telegram, telecopy, telex or similar form of communication, or, if mailed, on the date shown as received on the return receipt, or, if sent by overnight courier, on the date shown for receipt on the courier’s records. Either party may change to whom or where Notice is to be given by providing Notice to the other party of such change at such other party’s last address provided pursuant to this BAA.
- (c) Regulatory References. A reference in this BAA to a section in the Privacy Rule or the Security Rule means the section as in effect or as amended.
- (d) Recitals. The recitals are material terms of this BAA and are incorporated by reference herein.
- (e) Amendment. Prescryptive may amend this BAA from time to time, with 30 days’ prior written notice to Customer, in order to maintain compliance with state or Federal law, including the laws, regulations and guidance under HIPAA. Such amendment shall be binding upon Customer at the end of the 30-day period and shall not require the consent of Customer. If Customer disagrees with such amendment it may in turn, upon 30 days’ advance written notice to Prescryptive, elect to discontinue this BAA. However, Prescryptive’s duties hereunder and under any Related Agreement to maintain the security and privacy of Protected Health Information shall survive such discontinuance. The parties may otherwise amend this BAA by mutual written agreement.
- (f) Indemnification. Prescryptive shall, to the fullest extent permitted by law, protect, defend, indemnify and hold harmless Customer and Customer’s subsidiaries and affiliates and their respective directors, shareholders, officers, employees, agents and administrators (except for Prescryptive and Prescryptive’s own employees, directors or agents) (“Indemnitees”) from and against any and all losses, costs, claims, penalties, fines, demands, liabilities, legal actions, judgments and expenses of every kind (including reasonable attorney fees, both at trial and on appeal) asserted or imposed against any Indemnitee arising out of the acts or omissions of Prescryptive or any subcontractor or consultant of Prescryptive or any of Prescryptive’s employees, directors or agents that are (i) in violation of this Agreement, the Privacy Rule, the Security Rule, or the HITECH Act or any regulations promulgated thereunder or (ii) that constitutes a Security Incident or Breach of Unsecured Protected Health Information; provided, however, that in no event will the aggregate liability of Prescryptive under or in connection with this Agreement or its subject matter, including any orders, under any legal or equitable theory, including breach of contract, tort (including negligence), strict liability and otherwise, exceed the value of all amounts paid by Customer to Prescryptive under the Related Agreement during the 12 months preceding the act or omission alleged to give rise to such liability. Notwithstanding anything to the contrary in this Agreement, the Related Agreement, or otherwise, the foregoing terms shall be the sole indemnity available to Indemnitees for any act or omission by Prescryptive that would trigger Prescryptive’s obligations under this Subsection (f) (Indemnification).
- (g) Interpretation. Any ambiguity in this BAA shall be resolved to permit Prescryptive to comply with the Privacy Rule, the Security Rule, the HITECH Act and any regulations promulgated thereunder. In the event that any provision(s) of this BAA is contrary to or inconsistent with the parties’ business relationship, dealings, understanding, agreements or the Related Agreement, the provisions of this BAA shall control.
- (h) No Agency Relationship. It is not intended that an agency relationship (as defined under theFederal common law of agency) be established hereby expressly or by implication between Customer and Prescryptive under this BAA, HIPAA or the Privacy Rule, Security Rule, or Breach Notification Rule. No terms or conditions contained in this BAA shall be construed to make or render Prescryptive an agent of Customer.
- (i) No Third-Party Beneficiaries. Nothing express or implied in this BAA is intended to confer, nor shall anything in this BAA confer, upon any person other than the parties hereto, and the respective successors or assigns of the parties, any rights, remedies, obligations, or liabilities whatsoever.