Take 44 Inc.,
Business Associate Agreement
This Business Associate Agreement Amendment (the BAA or “Amendment”) is by and between Take 44, Inc, a corporation organized under the laws of the State of Delaware (“Take 44” or “Business Associate”), and the Client (“Client”) named in the Online Subscription Order Form under the applicable Agreement (as defined below). The parties desire through this Amendment to amend the applicable Agreement consistent with the requirements of the Health Insurance Portability and Accountability Act of 1996, as it may be amended from time to time (“HIPAA”), including the regulatory revisions implemented pursuant to the Health Information Technology for Economic and Clinical Health Act (the “HITECH ACT”). This Amendment becomes effective on the date that this Amendment is accepted online as part of the client’s registration process. The Business Associate has accepted the terms of this Amendment and the client’s acceptance during the registration process makes this Amendment effective as of that date (“Effective Date”). This Amendment replaces any earlier business associate agreement(s) entered into between the parties.
WHEREAS, Client and Business Associate are parties to a subscription agreement (the “Agreement,” as further defined below) pursuant to which Business Associate provides to Client access to and use of certain software applications as ordered by Client under the Agreement (the “Services,” as further defined below);
WHEREAS, the parties desire to ensure that their respective rights and responsibilities under the Agreement reflect applicable federal statutory and regulatory requirements relating to the access, use, and disclosure of health information, including without limitation, the Standards for Privacy of Individually Identifiable Health Information, and the Security Standards, collectively codified at 45 CFR Parts 160, 162, and 164 (respectively the “Privacy Standards” and “Security Standards”) under HIPAA;
WHEREAS, because Client is a Business Associate under HIPAA, the Privacy Standards and Security Standards require the Client to obtain adequate written assurances from contractors that create, receive, access, maintain, use, or disclose PHI for or on behalf of such Client; and
WHEREAS, the online services offered by Take 44 may be used by Client to store certain PHI (though typically not electronic medical records or Designated Record Sets); and
WHEREAS, Take 44 and Client agree to the business associate terms set forth below, in order to facilitate Client's access and transmission of information to and from the NextAgency application(s) provided as part of the Services, as authorized by, and under certain other conditions described in the Agreement.
NOW, THEREFORE, for good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the parties hereby amend their Agreement by agreement to the following:
1. DEFINITIONS
A. General. Capitalized terms used in this Amendment and not otherwise defined herein shall have the same meanings as defined in the Privacy Standards or Security Standards and corresponding official materials published, issued, or promulgated by the Secretary of the Department of Health and Human Services (“the Secretary”). “Protected Health Information” (or “PHI”) shall have the same meaning as the term “protected health information” in 45 CFR § 160.103, limited to the information actually received by Take 44 from or on behalf of Client in connection with the Agreement.
B. Specific Definitions. As used herein:
1. “Agreement” means the current agreement between Client and Business Associate under which Business Associate provides the Services to Client which involve the use or disclosure of Protected Health Information, particularly the NextAgency Terms of Service Agreement, as such agreement may be amended, modified, or renamed in the future.
2. “Services” means specifically the NextAgency software as a service
a. any general obligation to supervise, oversee, or consult with Client for the purposes of advising Client on, or ensuring Client's compliance with, HIPAA, the HITECH Act, and HIPAA Regulations,
b. any client submission of unprotected PHI to third parties during the implementation or use of NextAgency, or
c. any sending of emails or SMS messages containing unprotected PHI through any NextAgency software or applications.
2. OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE
A. Use and Disclosure. To the extent (if any) that Business Associate creates, transmits, maintains, or receives any PHI on behalf of Client, including any Electronic PHI, Business Associate agrees to:
1. maintain the privacy and security of such PHI and not to use or disclose PHI other than as permitted or required to satisfy its obligations under the Agreement, or as permitted herein, or as Required by Law;
2. use appropriate safeguards, consistent with the requirements of Subpart C of 45 CFR Part 164 (with respect to Electronic PHI), to prevent the use or disclosure of the PHI other than as permitted under this Amendment;
3. implement or maintain administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of Electronic PHI; and
4. promptly report to Client any use or disclosure of PHI not permitted by this Amendment of which Business Associate becomes aware (including Breaches of Unsecured PHI as required by 45 CFR § 164.410) and any Security Incident that Business Associate becomes aware of; provided, however, that the parties acknowledge and agree that this Section 2(a)(iv) constitutes notice by Business Associate to Client of the ongoing existence of, occurrence of, and attempts by third parties that constitute Unsuccessful Security Incidents for which no additional notice to Client shall be required. “Unsuccessful Security Incidents” means, without limitation, pings and other broadcast attacks on Business Associate's firewall(s), port scans, unsuccessful log-on attempts, denial of service attacks, and any combination of the above, so long as no such incident results in unauthorized access, use, or disclosure of PHI.
B. Agents. Business Associate shall obtain and maintain an agreement with each agent or subcontractor that has or will have access to PHI. That agreement will require each agent or subcontractor to be bound by restrictions, terms, and conditions that are at least as stringent as those that apply to Business Associate with respect to such PHI. Furthermore, each agent or subcontractor will agree to report to Business Associate any instances of violation of the agreement with respect to PHI of which it becomes aware.
C. Access to Designated Record Sets. To the extent (if any) that Business Associate possesses and maintains a Designated Record Set for Client, Business Associate agrees to:
1. provide access, at the request of Client, and in the time and manner mutually agreed between Business Associate and Client, to PHI in a Designated Record Set, to Client or, as directed by Client, to an Individual in order to satisfy Client's obligations under 45 CFR § 164.524; and
2. make any amendment(s) to PHI in a Designated Record Set as directed or agreed to by the Client pursuant to 45 CFR § 164.526, and in the time and manner mutually agreed between Business Associate and Client (provided that the amendment of an Individual's PHI and all decisions related thereto shall be the sole responsibility of Client).
D. Accounting. Business Associate agrees to make available to Client information regarding disclosures made by Business Associate for which an accounting is required under 45 CFR § 164.528 so Client can meet its requirements to provide an accounting to an individual in accordance with 45 CFR § 164.528.
E. Access to Books and Records. Business Associate agrees to make its internal practices, books, and records relating to the use and disclosure of PHI available for purposes of determining compliance with the HIPAA Rules.
3. PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE
A. Agreement. Except as otherwise limited by this Amendment, Business Associate may use or disclose PHI as necessary to perform Services for the Client as specified in the Agreement, provided that such use or disclosure would not violate Privacy Rules and complies with the principle of “minimum necessary use and disclosure” consistent with 45 CFR § 164.514(d).
B. Disclosure for Administration of Business Associate. Except as otherwise limited by this Amendment, Business Associate may disclose PHI for the proper management and administration of the Business Associate’s business, provided that (i) disclosures are Required by Law, or (ii) Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
C. Reporting Violations. Business Associate may use PHI to report violations of law to appropriate Federal and State authorities, consistent with 45 CFR § 164.502(j)(1).
4. OBLIGATIONS OF CLIENT
A. Limitations in Notice of Privacy Practices. Client shall notify Business Associate of any limitation(s) in the notice of privacy practices of Client under 45 CFR § 164.520, to the extent that such limitation may affect Business Associate's use or disclosure of PHI. However, Client shall not agree to any restriction requests or place any restrictions in any notice of privacy practices that would require modification to the NextAgency software, cause Business Associate to violate this Amendment or any applicable law.
B. Restrictions to the Use or Disclosure of PHI. Client shall notify Business Associate of any restriction to the use or disclosure of PHI that Client has agreed to in accordance with 45 CFR § 164.522, to the extent that such restriction may affect Business Associate's use or disclosure of PHI.
C. Permissible Use Requests. Except for the permitted uses set forth in Section 3, Client will not request Business Associate to use or disclose PHI in any manner that would not be permissible under Subpart E of 45 CFR Part 164 if done by Client.
D. Access Requests. Client will, if legally permitted, notify Business Associate of any request received to restrict access, correct, erase, blocking or amendment, PHI. Client is responsible for managing and responding to these requests.
E. HIPAA Security Configuration. Client agrees to enable all security features of the Service that are necessary in order for the Client to comply with its obligations under HIPAA.
F. Excluded Information Systems. The Client agrees to not transmit any unprotected PHI from NextAgency including the submission to any information system or software application excluded from the scope of the Services.
5. TERM AND TERMINATION
A. Term and Termination. The term of this Amendment shall begin on the Effective Date and shall terminate on the date that the Agreement is terminated for any reason, including failure to pay subscription dues.
B. Termination in Kind. Notwithstanding any contrary language in the Agreement, termination of this Amendment shall also constitute termination of the Agreement itself. If this Amendment is terminated for cause pursuant to Section 5(c), below, the Agreement shall also be deemed terminated for cause, which termination shall be governed by the appropriate termination for cause provisions contained in the Agreement.
C. Termination for Cause. Upon Client's knowledge of a material breach of this Amendment by Business Associate, Client shall notify Business Associate of the breach in writing and shall provide an opportunity for Business Associate to cure the breach or end the violation within thirty (30) business days of such notification. If Business Associate fails to cure the breach or end the violation within such time period to the satisfaction of Client, Client shall have the right to immediately terminate this Amendment upon written notice to Business Associate.
D. Effect of Termination. Following the termination or expiration of this Amendment for any reason, Business Associate shall comply with the request(s) by the Client for the Business Associate to return or destroy all PHI received from Client or received by Business Associate on behalf of Client. This provision shall also apply to PHI that is in the possession of subcontractors or agents of Business Associate. Business Associate shall retain no copies of the PHI except as necessary to comply with any data retention requirements that are not inconsistent with any Privacy Rules. Where return or destruction of PHI is infeasible, Business Associate shall extend the protections of this Amendment to such PHI and limit further uses and disclosures of such PHI. Further, in consideration of the fact that Business Associate maintains a procedure for replicating or backing up Client data to help ensure the integrity and availability of PHI, the parties agree that Business is not obligated to destroy PHI until the one hundred and eighty-first (181st) day from the date of the termination of the Agreement.
E. Survival. The obligations of Business Associate under this Section shall survive the termination of this Amendment.
6. MISCELLANEOUS
A. Regulatory References. A reference in this Amendment to a section in the HIPAA Rules means the section as in effect or as amended or modified from time to time.
B. Amendment. Business Associate has the right to alter, amend or modify of the terms of this Amendment from time to time. The amendment shall be deemed accepted by Business Associate when presented to Client. Client will be notified of the changes to this Amendment and will accept any changes when logging into NextAgency. The Client has no right to alter amend or modify this Amendment unless in writing and signed by Business Associate and Client. The parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for compliance with the requirements of the HIPAA Rules and any other applicable law.
C. Interpretation. The terms of this Amendment are hereby incorporated into the Agreement. In the event of a conflict between the terms of this Amendment and the terms of the Agreement, the terms of this Amendment will prevail. Any ambiguity in this Amendment shall be interpreted to permit compliance with the HIPAA Rules.
D. Severability. If any provision of this Amendment is found to be invalid or unenforceable, the remainder of this Amendment shall not be affected thereby, but rather the remainder of this Amendment shall be enforced to the greatest extent permitted by law.
E. No Agency Relationship. It is not intended that an agency relationship (as defined under the Federal common law of agency) be established hereby expressly or by implication between Client and Business Associate under HIPAA or the Privacy Rule, Security Rule, or Breach Notification Rule. No terms or conditions contained in this Amendment shall be construed to make or render Business Associate an agent of Client.
F. No Third-Party Beneficiaries. Nothing express or implied in this Amendment is intended to confer, nor shall anything in this Amendment confer, upon any person other than the parties, and the respective successors or assigns of the parties, any rights, remedies, obligations, or liabilities whatsoever.