A. The parties wish to comply with the Health Insurance Portability and Accountability Act of 1996, as amended from time to time and including changes made under the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), and all pertinent regulations issued by the U.S. Department of Health and Human Services, as amended from time to time (collectively “HIPAA”), and
other applicable Federal and State confidentiality, privacy, and security laws.
B. Customer is a Covered Entity “CE” as defined or construed under HIPAA.
C. Float Care is the Business Associate “BA” who is in the business of licensing certain software.
D. Customer is entering into a business relationship with Float Care that is memorialized in the Agreement pursuant to which Float Care may have access to ”protected health information” and may be considered a “business associate” and “limited data set recipient” of Customer as those terms are defined or construed under HIPAA.
1 Definitions - For purposes of this Business Associate Agreement, the following terms have the following meanings:
a. “Breach” - has the same meaning as the term “breach” in 45 C.F.R. §164.402.
b. “Designated Record Set” - means the same as the term “designated record set” defined in 45 C.F.R. § 164.501.
c. “Protected Health Information” - means the same as the term “protected health information” as defined as 45 C.F.R. § 164.103, as the same may be amended from time to time.
d. “Privacy Rule” - means the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. Part 160 and Part 164 Subparts A and E, as may be amended from time to time.
e. “Required By Law” - means the same as the term “required by law” defined in 45 C.F.R. § 164.103.
f. “Secretary” - means the Secretary of the U.S. Department of Health and Human Services or his or her designee.
g. “Security Incident” - means the successful unauthorized access, use, disclosure, modification, or destruction of PHI maintained or interference with system operations in an information system maintained by Float Care that contains PHI received from Customer.
h. “Unsecured Protected Health Information” - means PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in guidance issued pursuant to (or otherwise defined in) § 13402(h)(2) of the HITECH Act.
2 Float Care Warranties - Float Care, in connection with this Agreement, represents, warrants, and covenants that, to the extent that Float Care creates, maintains, or receives any PHI or Unsecured PHI on behalf of Customer, Float Care will:
a. Not use or further disclose the PHI or Unsecured PHI other than as permitted or required by the Agreement between the parties or as Required By Law;
b. use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by the Agreement or as permitted by law;
c. report to Customer any Security Incident or any use or unauthorized disclosure of PHI not provided for by this Business Associate Agreement of which Float Care becomes aware;
d. following discovery and without unreasonable delay, but in no event later than 60 days following discovery, report any breach of Unsecured PHI to Customer;
e. ensure that any agents, including subcontractors, who receive PHI either received from, or created or received on behalf of, Customer apply the same restrictions and conditions that apply to it with respect to such information;
f. to the extent possible, provide access or make the PHI available to Customer in a Designated Set Record at reasonable times at the request of or as directed by Customer to an individual in order to meet the requirements of and accordance with 45 C.F.R. § 164.524 of the Privacy Rule;
g. make available PHI for amendment to Customer or as directed by Customer and incorporate any amendments to PHI in accordance with 45 C.F.R. § 164.526 of the Privacy Rule;
h. document and make available such information pursuant to commercially reasonable directions of Customer in order to provide an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 of the Privacy Rule;
i. make any internal practices, books and records relating to the use and disclosure of PHI received from, or created or received on behalf of, Customer available to the Secretary of the U.S. Department of Health and Human Services for the purposes of determining Customer's compliance with the Privacy Rule;
j. return or destroy all PHI or Unsecured PHI received from Customer (or created or received by Float Care on behalf of Customer) that Float Care maintains in any form at the termination of this Business Associate Agreement except as may be required or permitted by Federal or State laws or regulations, this Business Associate Agreement, or the Agreement;
k. to the extent Float Care is to carry out an obligation of Customer under Subpart E of 45 C.F.R. Part 164, comply with the requirements of Subpart E of 45 C.F.R. Part 164 that apply to Customer in the performance of such obligation; and
l. ensure that any subcontractors that create, receive, maintain, or transmit electronic PHI on behalf of Float Care agree to comply with the applicable requirements of HIPAA by entering into a HIPAA-compliant business associate contract.
3 Customer Warranties - Customer represents, warrants, and covenants that Customer:
a. must provide Float Care a copy of Customer’s Notice of Privacy Practices (“Notice”) produced by Customer in accordance with 45 C.F.R. § 164.520 as well as any changes to Customer’s Notice;
b. must provide Float Care with any changes in, or revocation of, authorizations by individuals relating to the use or disclosure of PHI, if such changes affect Float Care’s permitted or required uses or disclosures;
c. must notify Float Care of any restriction to the use or disclosure of PHI to which Customer has agreed in accordance with 45 C.F.R. § 164.522;
d. must notify Float Care of any amendments to PHI to which Customer has-agreed that affects a Designated Record Set maintained by Float Care for Customer, if any;
e. must, if Float Care maintains for Customer a Designated Record Set, provide Float Care with a copy of its policies and procedures related to any individual's right to: access PHI, request an amendment to PHI, request confidential communications of PHI, or request an accounting of disclosures of PHI;
f. may not request Float Care to use or disclose PHI in any manner that would not be permissible under HIPAA or other Federal or State Law;
g. is and will remain in compliance with all applicable Federal, State, and Local Laws, including but not limited to fraud and abuse laws, and will not request, require, or influence Float Care to violate any applicable law; and
h. will indemnify and hold harmless Float Care from and against all claims, demands, liabilities, judgments, or causes of any nature for any relief, elements of recovery, or damages recognized by law (including, without limitation, attorney s fees, defense costs, and equitable relief) for any damage or loss incurred by Float Care arising out of, resulting from, or attributable to any acts or omissions or other conduct Customer or its agents or subcontractors in connection with the Agreement, this Business Associate Agreement, or another contract, and/or any violation of law by Customer or its agents or subcontractors. This obligation will survive the termination of this Business Associate Agreement.
4 Term and Termination
a. The term of this Business Associate Agreement will be effective as of the date the Agreement is effective, and will terminate when all of the PHI provided by Customer to Float Care, or created or received by Float Care on behalf of Customer, is destroyed or returned to Customer. However, with respect to any PHI that cannot feasibly be returned or destroyed, the protections of this Business Associate Agreement will be extended to such PHI in accordance with the termination provisions in Section 4(c)(ii).
b. Notwithstanding anything in this Business Associate Agreement to the contrary, upon Customer’s knowledge of a material breach or violation of Business Associate Agreement by Float Care, Customer will:
i provide a reasonable opportunity for Float Care to cure the breach or end the violation of this Business Associate Agreement and then, if Float Care does not cure the breach or end the violation of this Business Associate Agreement within thirty (30) days, terminate this Business Associate Agreement if feasible; or
ii immediately terminate if feasible this Business Associate Agreement if Float Care has breached a material term of this Business Associate Agreement and a cure is not possible.
c. Effect of Termination.
i Except as provided in Section 4(c)(ii), upon termination of this Business Associate Agreement for any reason, Float Care will, if feasible:
1. return or destroy all PHI received from Customer or created or received by
Float Care on behalf of Customer; and
2. not retain any copies of the PHI
ii If Float Care determines that the return or destruction of any particular PHI is infeasible, Float Care will extend the protections of this Business Associate Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Float Care maintains such PHI.
5 Use and Disclosure of PHI - The general purposes for which PHI may be used or disclosed:
a. Float Care may use or disclose PHI for the purpose of performing Float Care’s obligations under the Agreement. Except as otherwise provided in this Business Associate Agreement, Float Care may use or disclose PHI to perform functions, activities, or services for or on behalf of Customer if such use or disclosure by Float Care complies with the Privacy Rule and if such use or disclosure of PHI would not violate the requirements of Subpart E of 45 C.F.R. Part 164 if done by Customer. Float Care may use or disclose PHI to provide data aggregation services relating to the health care operations of Customer. Float Care may use PHI received by Float Care in its capacity as a business associate to Customer as necessary for the proper management and administration of Float Care or to carry out the legal responsibilities of Float Care; or
b. the disclosure is Required By Law; or
c. Float Care obtains reasonable assurances from any person or entity to whom PHI is disclosed that:
i the PHI will be held confidential and further used and disclosed only as Required By Law or for the purposes for which it was disclosed to the person or entity, and
ii the person or entity will notify Float Care of any instances of which it is aware in which confidentiality of the PHI has been breached.
6 Notice of Privacy Practices.
Float Care agrees that it will abide by the limitations of any Notice published by Customer of which it has knowledge. Any use or disclosure permitted by this Business Associate Agreement may be amended by changes to Customer’s Notice if Customer specifically informs Float Care of the amendment; provided, however, that the amended Notice will not affect permitted uses and disclosures on which Float Care relied prior to receiving notice of such amended Notice from Customer.
7 Withdrawal of Authorization.
If the use or disclosure of PHI is based upon an individual's specific authorization for the use of his or her PHI, and the individual revokes such authorization in writing, or the effective date of such authorization has expired, or the authorization is found to be defective in any manner that renders it invalid, then Float Care agrees, if it has notice of such revocation or invalidity, to cease the use and disclosure of any such individual’s PHI except to the extent it has relied on such use or disclosure, or where an exception under HIPAA expressly applies.
8 Third Party Rights and Assignment and Delegation of Duties.
The terms of this Business Associate Agreement are not intended nor should they be construed to grant any rights to parties other than Float Care and Customer. However, this Business Associate Agreement is binding upon and inures to the benefits of the parties hereto and their respective successors and assigns.
9 Applicable Law and Forum
This Business Associate Agreement will be interpreted and construed in accordance with the laws of the State of Texas.
Any amendment to this Business Associate Agreement will not be binding on either of the parties to this Business Associate Agreement, unless such amendment is in writing and executed by both parties hereto. Notwithstanding anything in this Business Associate Agreement to the contrary, the parties agree to take such action as is necessary to amend this Business Associate Agreement from time to time to comply with the requirements of HIPAA and other applicable federal and state confidentiality, privacy, and security laws.
Any notices required or permitted under this Business Associate Agreement must be in writing and delivered in person or sent by registered or certified mail, return receipt requested, postage prepaid, properly addressed to the address of the addressee set forth above or to such other more recent address of the addressee of which the sending party has received written notice.
Each party has full power and authority to enter into and perform this Business Associate Agreement, and the person signing this Business Associate Agreement on behalf of each party has been properly authorized and empowered to enter into this Business Associate Agreement.
13 Requests for PHI
Either party will immediately notify the other party in writing and provide the other party with a copy, of any subpoena or other discovery request or any judicial, governmental, or administrative order requesting or requiring the party to disclose PHI that may be held by or on behalf of the other party pursuant to this Business Associate Agreement, unless prohibited by an applicable law or if requested to refrain from doing so by law enforcement or other governmental authority.
14 Interpretation of this Contract in Relation to Other Contracts between Parties
Should there be any conflict between the language of this Business Associate Agreement and any other contract entered into between the parties, including the Agreement (either previous or subsequent to the date of this Business Associate Agreement), regarding the subject matter of this Business Associate Agreement, the language and provisions of this Business Associate Agreement will control and prevail unless the parties specifically refer in a subsequent written agreement to this Business Associate Agreement by its title and date and specifically state that the provisions of a later written agreement will control over this Business Associate Agreement.
15 De-Identified Information
Float Care may de-identify PHI obtained by Float Care under this Business Associate Agreement in compliance with 45 C.F.R. § 164.502(d) and 45 C.F.R. § 164.514(a) and (b). Pursuant to 45 C.F.R. § 164.502(d)(2), de-identified information does not constitute PHI and is not subject to the terms of this Business Associate Agreement.
16 Data Use
Float Care may use and disclose PHI obtained by Float Care under this Business Associate Agreement to create a limited data set without any of the identifiers listed in 45 C.F.R. § 164.514(e) (“Limited Data Set”) for research, public health, and health care operations purposes. Float Care may not use or further disclose a Limited Data Set for any other purpose, except as may otherwise by Required By Law. Float Care must use appropriate safeguards to prevent use or disclosure of Limited Data Set other than as provided for herein. Float Care must report to Customer any use or disclosure of a Limited Data Set not provided for herein of which Float Care becomes aware. Float Care must ensure that any agents to whom Float Care provides a Limited Data Set agree to the same restrictions and conditions that apply to Float Care with respect to such information. Float Care may disclose a Limited Data Set to any recipient that agrees to the same restrictions and conditions that apply to Float Care with respect to such information. With respect to any particular Limited Data Set, Float Care will not use the Limited Data Set in such a way as to identify any individual whose data is incorporated in the Limited Data Set or to contact any such individual.
17 Changes in the Law
If (i) there is a change in any law, regulation, or rule that affects this Business Associate Agreement, the activities of either party under this Business Associate Agreement, or the relationship of the parties, or any change in the judicial or administrative interpretation of any such law, regulation, or rule, or any of the provisions of this Business Associate Agreement are found to be in violation of any such law, regulation, or rule; and (ii) either party reasonably believes in good faith that the change, interpretation, or determination will have a substantial adverse effect on that party’s business operations, then the party may, upon written notice, require the other party to enter into good faith negotiations to renegotiate the terms of this Business Associate Agreement and to take any necessary action to maintain compliance with such laws, rules, or regulations. If the parties are unable to reach an agreement concerning the modification of this Business Associate Agreement within the earlier of 45 calendar days after the date of notice seeking renegotiation or the effective date of the change, then either party may immediately terminate this Business Associate Agreement effective upon notice to the other party.
Any ambiguity in this Business Associate Agreement will be resolved to permit Customer and Float Care to comply with HIPAA.
Any controversy or claim arising out of this Business Associate Agreement, or the breach thereof, will be settled by arbitration in accordance with the Rules of Commercial Arbitration of the American Arbitration Association, and judgment upon the award rendered by the arbitration may be entered in any court having jurisdiction thereof. The arbitration agreement set forth herein will not limit a court from granting a temporary restraining order or preliminary injunction in order to preserve the status quo of the parties pending arbitration. Further, the arbitrator(s) will have power to enter such orders by way of interim award, and they will be enforceable in court. The place of such arbitration will be in Houston, Texas.
20 Entire Agreement
This Business Associate Agreement, together with all schedules, exhibits, addenda, and amendments hereto, if applicable, that are fully completed and signed by authorized persons on behalf of both Customer and Float Care from time to time while this Business Associate Agreement is in effect, constitutes the entire agreement between the parties hereto with respect to the subject matter hereof and supersedes all previous written or oral understandings, agreements, negotiations, commitments, and any other writing and communication by or between the parties with respect to the subject matter hereof.
The provisions of this Business Associate Agreement will be severable, and if any provision of this Business Associate Agreement is held or declared to be illegal, invalid, or unenforceable, the remainder of this Business Associate Agreement will continue in full force and effect as though such illegal, invalid, or unenforceable provision had not been contained herein.
22 Regulatory References
A citation in this Business Associate Agreement to the Code of Federal Regulations (C.F.R.) means the cited section as that section may be amended from time to time.
This Business Associate Agreement may be signed in counterparts, each one of which is considered an original, but all of which constitute one and the same instrument. The parties have executed this Business Associate Agreement effective as of the date first above written.