Last Updated: July 22, 2021
DocStation, Inc. (“Business Associate”) and Provider (collectively the “Parties”) hereby enter into this Business Associate Agreement (the “BAA”) pursuant to the terms and conditions set forth below. The terms of this BAA are incorporated by reference into the Agreement and accepted by Provider as defined and designated therein. RECITALS WHEREAS, DocStation provides electronic health records, practice management, medication therapy management tools and related services, and other services dedicated to patient care and billing (“Services”); and
WHEREAS, DocStation, through its agreements with covered entities and regulated agencies, is subject to the Administrative Simplification requirements of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as amended from time to time and the regulations promulgated thereunder at 45 C.F.R. Parts 160 and 164, and the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”) and the regulations promulgated thereunder (collectively “Privacy and Security Regulations”); and
WHEREAS, Provider accesses the Services provided by DocStation and therefore has access to, uses, or creates Protected Health Information in the use of Services and intends to be similarly bound; and
WHEREAS, the Privacy and Security Regulations require the Parties to enter into a contract in order to mandate certain protections for the privacy and security of Protected Health Information, and those Regulations prohibit the disclosure of Protected Health Information from DocStation to Provider, or vice versa, if such a contract is not in place.
NOW THEREFORE, in consideration of the foregoing, and for other good and valuable consideration, the receipt and adequacy of which is hereby acknowledged, the Parties agree as follows:
1.1 “Breach” has the meaning as set forth in 45 C.F.R. Section 164.402, as the same may be amended from time to time.
1.2 “Covered Entity” means: (1) a health plan; (2) a health care clearinghouse; and, (3) a health care provider who transmits any health information in any form in connection with a transaction covered by the HIPAA Regulations.
1.3 “Electronic Protected Health Information (“ePHI”)” means Protected Health Information that is transmitted by electronic media (as defined by the Privacy and Security Regulations) or is maintained in electronic media.
1.4 “Disclose” and “Disclosure” mean, with respect to Protected Health Information, the release, transfer, provision of access to, or divulging in any other manner of Protected Health Information outside Business Associate’s internal operations.
1.5 “Electronic Health Record (hereinafter “EHR”)” means
1.6 “Protected Health Information” (hereinafter, “PHI”) means information, including demographic information, that (i) relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual, or the past, present or future payment for the provision of health care to an individual; (ii) identifies the individual (or for which there is a reasonable basis for believing that the information can be used to identify the individual); and (iii) is received by Business Associate from or on behalf of Provider, or is created by Business Associate, or is made accessible to Business Associate by Provider
1.7 “Secretary” means the Secretary of the U.S. Department of Health & Human Services.
1.8 “Security Incident” means an attempted or successful Unauthorized Use or Disclosure. For purposes of this BAA, “attempted” does not apply to inadvertent acts by employees or third parties acting in good faith. Business Associate shall exercise discretion and good judgment in assessing whether attempts at Unauthorized Use or Disclosure present a material threat to the confidentiality, security and accessibility of PHI and whether notification to the Provider is warranted under this BAA.
1.9 “Services” mean the Services provided by Business Associate that are accessible by Provider.
1.10 “Unauthorized Use or Disclosure” means the unauthorized access, use or disclosure, modification, or destruction of information or interference with the system operations in an information system.
1.11 “Unsecured Protected Health Information” (hereinafter, “Unsecured PHI”) means PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary in guidance, including the guidance issued by the HHS on April 17, 2009, pursuant to HITECH Act, or regulations or as otherwise defined in the HITECH Act.
1.12 “Use” or “Uses” mean, with respect to PHI, the sharing, employment, application, utilization, examination or analysis of such information within Business Associate’s internal operations.
Terms used, but not otherwise defined, in this BAA shall have the same meaning as those terms in the Privacy and Security Regulations including, but not limited to, 45 C.F.R. Sections 160.103 and 164.501.
2.0 Obligations of Business Associate
2.1 Additional Requirements of the HITECH Act. The Parties agree that the additional Privacy and Security requirements imposed on Covered Entities by the HITECH Act are also applicable to Business Associate and, therefore, Business Associate shall comply with same.
2.2 Permitted Uses and Disclosures of PHI. Business Associate:
(a) shall Use and Disclose PHI as necessary or appropriate to perform the Services, and as provided in Sections 2.7, 2.8, 2.9, 2.11, and 2.12 of this BAA;
(b) shall Disclose PHI to Provider upon request;
(c) may, as necessary for the proper management and administration of its business or to carry out its legal responsibilities:
(i) Use PHI; and
(ii) Disclose PHI if the Disclosure is required by law, or Business Associate obtains reasonable written assurances from the person to whom the information is Disclosed that the PHI will be held confidentially and Used or further Disclosed only as required by law or for the purpose for which it was Disclosed to the person, and the person agrees to notify Business Associate of any instances of which the person is aware that the confidentiality of the PHI has been breached.
(d) shall mitigate, to the extent practicable, any harmful effect that is known to Business Associate of an Unauthorized Use or Disclosure of PHI in violation of the requirements of this BAA.
Business Associate shall not Use or Disclose PHI for any other purpose. Specifically, the Business Associate shall not de-identify PHI and/or use de-identified PHI in any way (including but not limited to aggregate data) other than as agreed in writing between the Parties.
2.3 Adequate Safeguards for PHI. Business Associate warrants that it shall implement and maintain appropriate safeguards to prevent the Use or Disclosure of PHI in any manner other than as permitted by this BAA. In addition, Business Associate warrants that it shall implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of any ePHI that it creates, accesses, receives, maintains or transmits on behalf of Provider, and in doing so, shall comply with the Privacy and Security Regulations including 45 CFR Sections 164.308, 164.310, and 164.312. Further, Business Associate shall comply with the policies and procedures and documentation requirements of the HIPAA Security Regulations set forth in 45 CFR Section 164.316.
2.4 Breach Pattern or Practice by Business Associate or subcontractor. If Business Associate knows of a pattern of activity or practice that constitutes a material breach or violation of its obligations by any subcontractor of Business Associate under any agreement or any amendment or addendum thereto, Business Associate must take reasonable steps to cure the breach or end the violation. If the steps are unsuccessful, Business Associate must terminate the agreement if feasible, or, if termination is not feasible, report the activity to the Secretary. Business Associate shall provide written notice to Provider of any pattern of activity or practice that constitutes a material breach or violation of Provider’s obligations under this BAA or any amendment or addendum thereto within five (5) days of discovery and shall meet with Provider to discuss and attempt to resolve the problem as one of the reasonable steps to cure or end the violation.
2.5 Breach Notification. Business Associate shall promptly notify Provider following Business Associate’s (or Business Associate’s employee, officer, or agent) discovery of a Breach of Unsecured PHI. Business Associate’s notification to Provider hereunder shall (a) be made to Provider without unreasonable delay and in no case later than 48 hours after discovery of the Breach, and (b) include identification of each individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been subject to the Breach.
In addition to the above, Business Associate shall also include the following information in its notification to Provider:
(a) A description of what happened, including the date of the Breach and the date of discovery of the Breach, if known;
(b) A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, credit card number, diagnosis, disability code, or other types of information were involved);
(c) Any steps that the individuals should take to protect themselves from potential harm resulting from the Breach;
(d) A description of what Business Associate is doing to investigate the Breach, to mitigate the harm to individuals and to protect against further Breaches; and,
(e) Contact information, including a toll free telephone number, an e-mail address and postal address, should Provider wish to provide such information to the individuals who have questions about the Breach.
If some of the above information is not known by Business Associate at the date of notification, Business Associate shall forward the information as soon as it becomes available.
Unless explicitly authorized by law, Business Associate is strictly prohibited from providing notice of any Breach or Security Incident to any third parties, including but not limited to any affected individuals, regulators, or the media without Provider’s written authorization to provide such notice. Business Associate agrees to cooperate with Provider in any investigations, mitigation efforts and responses to any Security Incident or Breach.
2.6 Reporting Non-Permitted Use or Disclosure; Security Incident. Business Associate shall report to Provider each Use or Disclosure that is made by Business Associate, its employees, representatives, agents or subcontractors that is not specifically permitted by this BAA. The initial report shall be made by telephone call to Provider’s Privacy Officer within 48 hours from the time Business Associate becomes aware of an actual or apparent non-permitted Use or Disclosure.
Further, if requested by Provider’s Privacy Officer, Business Associate shall forward a full written report or any other requested documentation to Provider’s Privacy Officer no later than ten (10) business days from the date Business Associate becomes aware of the non-permitted Use or Disclosure. Business Associate shall report to Provider any Security Incident of which it becomes aware within the time frame specified herein. Business Associate shall also provide in such notice the remedial or other actions undertaken to correct the Unauthorized Use or Disclosure.
2.7 Availability of Internal Practices, Books and Records to Government Agencies; Provider Right to Audit. Business Associate agrees to make its internal practices, books and records relating to the Use and Disclosure of PHI available to the Secretary for purposes of determining Provider’s compliance with the Privacy Regulations. Business Associate shall immediately notify Provider of any requests made by the Secretary and provide Provider with copies of any documents produced in response to such request. Provider reserves the right to audit Business Associate’s compliance with some or all of its Business Associate’s obligations under this BAA. In the event Provider chooses to exercise this right of audit, Provider shall provide Business Associate no less than ten (10) business days’ written notice of its intent to audit. Such written notice from Provider shall provide sufficient detail to Business Associate of what the scope of any audit shall entail. The Parties agree to cooperate in good faith to complete any such audits in a timely and efficient manner.
2.8 Access to and Amendment of PHI. Business Associate shall: (a) make the PHI specified by Provider available to the individual(s) identified by Provider as being entitled to access and copy that PHI, and (b) make PHI available to Provider for the purpose of amending and incorporating such amendments into the PHI. Business Associate shall provide such access and incorporate such amendments within the time and in the manner specified by Provider.
2.9 Accounting of Disclosures. Upon Provider’s request, Business Associate shall provide to Provider an accounting of each Disclosure of PHI made by Business Associate or its employees, agents, representatives or subcontractors. Any accounting provided by Business Associate under this Section 2.9 shall include:
(a) the date of the Disclosure;
(b) the name, and address if known, of the entity or person who received the PHI;
(c) a brief description of the PHI disclosed; and
(d) a brief statement of the purpose of the Disclosure.
For each Disclosure that could require an accounting under this Section 2.9, Business Associate shall document the information specified in (a) through (d), above, and shall securely retain this documentation for six years from the date of the Disclosure.
2.10 Term and Termination. The term of this BAA shall be so long as the Business Associate provides the Services to Provider. Both this BAA and the Services provided by Business Associate to Provider may be terminated by Provider immediately and without penalty upon written notice by Provider to Business Associate if Provider determines, in its sole discretion, that Business Associate has violated any material term of this BAA. After termination, in the event Business Associate shall retain PHI in its possession for any reason, Business Associate shall keep such PHI secure from unauthorized access, use or disclosure. Sections 2.3, 2.4, 2.5. and 2.6 shall survive the termination of this BAA.
2.11 Disposition of PHI upon Termination or Expiration. Upon termination or expiration of this BAA, Business Associate shall either return or destroy, in Provider’s sole discretion and in accordance with any instructions by Provider, all PHI in the possession or control of Business Associate or its agents and subcontractors and shall not retain any copies of the PHI. In the event of any destruction, Business Associate shall tender Provider a written attestation that such PHI was securely destroyed and that Business Associate no longer possesses PHI.
However, if the Parties agree that neither return nor destruction of PHI is feasible, Business Associate may retain PHI provided that Business Associate (a) continues to comply with the provisions of this BAA for as long as it retains PHI, and (b) limits further Uses and Disclosures of PHI to those purposes that make the return or destruction of PHI infeasible.
2.12 Use of Subcontractors and Agents. Business Associate shall require each of its agents and subcontractors that receive PHI from Business Associate to execute a written agreement obligating the agent or subcontractor to comply with all the terms of this BAA.
2.13 Performance of Provider’s Obligations. To the extent Business Associate is to carry out any of Provider’s obligations under 45 C.F.R. Part 164 Subpart E at the request of Provider, Business Associate shall comply with the requirements of 45 C.F.R. Part 164 Subpart E that apply to Provider in the performance of such obligation.
2.14 Offshore PHI. Business Associate shall transfer, store, maintain, process, or access PHI only in and from the United States, and shall not transfer, store, maintain, process, or access PHI in or from any other jurisdiction without Provider’s prior written consent.