Business Associate Agreement
Updated and Effective: 19 December 2022
This Business Associate Agreement (this “BAA”) is entered into by and between Evitalin LLC dba menMD (“menMD”) and you, and applies to any PHI received, maintained or transmitted by menMD in providing business associate services in connection with menMD’s Services.
Whereas, as used herein, the Privacy Rule and the Security Rule are each deemed to include the amendments thereto that are included in the Modifications to the HIPAA Privacy, Security, Enforcement and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule (the “Omnibus Rule”), 78 Fed. Reg. 5565;
Whereas, pursuant to the Privacy Rule and the Security Rule, all Business Associates of Covered Entities must agree in writing to certain mandatory provisions regarding the use and disclosure of PHI;
Whereas, the Health Information Technology for Economic and Clinical Health Act (“HITECH”) adopted as part of the American Recovery and Reinvestment Act of 2009 imposes certain requirements on Business Associates with respect to privacy, security and breach notification and contemplates that such requirements shall be implemented by regulations, some of which are included in the Omnibus Rule (collectively the “HITECH Provisions”);
Whereas, the purpose of this BAA is to comply with the requirements of the Privacy Rule, the Security Rule, the Breach Notification Rule (45 C.F.R. §§ 164.400-401), the Omnibus Rule and the HITECH Provisions, including, but not limited to, the Business Associate contract requirements at 45 C.F.R. §164.308(b), §164.314(a), §164.502(e), §164.504(e), and as may be amended, and;
Whereas, the parties also wish to address the privacy and security requirements with respect to each of the Underlying Agreements and to provide an efficient mechanism to address future changes in laws and regulations that relate to HIPAA and HITECH with respect to the Underlying Agreements.
NOW, THEREFORE in consideration of the mutual promises and covenants contained herein, the parties agree as follows:
THESE TERMS MAY BE SUBJECT TO CHANGE, AS PROVIDED HEREIN.
Unless otherwise provided in this BAA or set forth in the Underlying Agreement (the “Terms”), capitalized terms have the same meanings as set forth in HIPAA, the Privacy Rule, the Security Rule, the Breach Notification Rule, the Omnibus Rule or the HITECH provisions.
In addition, the following specific definitions apply:
a. Business Associate. “Business Associate” shall generally have the same meaning as the term “business associate” at 45 CFR 160.103.
b. Covered Entity. “Covered Entity” shall generally have the same meaning as the term “covered entity” at 45 CFR 160.
c. HIPAA Rules. “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.
2. Scope of Use and Disclosure by menMD
a. menMD shall be permitted to Use and Disclose PHI consistent with the Minimum Necessary standard (45 C.F.R §164.502(b)) disclosed to it by you as necessary to perform its obligations under the Underlying Agreements.
b. Unless otherwise limited herein, in addition to any other Uses and/or Disclosures permitted or authorized by this BAA or Required by Law, menMD may:
i. Use the PHI in its possession for its proper management and administration and to fulfill any legal responsibilities of menMD, including as related to the Underlying Agreements;
ii. Disclose the PHI in its possession to a third party for the purpose of menMD’s proper management and administration, including with regards to its fulfillment of services relating to the Underlying Agreements or to fulfill any legal responsibilities of menMD; provided, however, that the Disclosures are Required by Law or menMD has received from the third party written assurances that (a) the information will be held confidentially and used or further Disclosed only as Required by Law or for the purposes for which it was Disclosed to the third party; and (b) the third party will notify menMD of any instances of which it becomes aware in which the confidentiality of the information has been breached.
3. Obligations of menMD. In connection with its Use and Disclosure of PHI, menMD agrees that it will:
a. Use or further Disclose PHI only as permitted or required by this BAA, or as Required by Law, or as allowed in the Underlying Agreements;
b. Use reasonable and appropriate safeguards and comply, where applicable, with the Security Rule with respect to electronic PHI, to prevent Use or Disclosure of PHI other than as provided for by this BAA or the Underlying Agreements, including implementation of the Administrative, Physical and Technical Safeguards and Requirements of the Security Rule (45 C.F.R. §§164.306-316) that reasonably and appropriately protect the confidentiality, integrity and availability of the Electronic PHI that it creates, receives, maintains or transmits on your behalf;
c. To the extent practicable, mitigate any harmful effect that is known to menMD of a Use or Disclosure of PHI by menMD in violation of this BAA;
d. Report to you any Breaches of Unsecured PHI as required by 45 C.F.R. §164.410;
e. Require that any subcontractor that creates, receives, maintains or transmits PHI on behalf of menMD agrees to the same restrictions and conditions that apply to menMD with respect to such PHI in accordance with the applicable requirements of the Privacy Rule and the Security Rule;
f. Make available to the Secretary of HHS menMD’s internal practices, books and records relating to the Use and Disclosure of PHI received from or created or received by menMD on behalf of you for purposes of determining your compliance with the Privacy Rule, the Security Rule and the Breach Notification Rule, subject to any applicable legal privileges;
g. Within (15) days of receiving a request from you, make available the information necessary for you to make an accounting of Disclosures of PHI about an individual;
h. Within ten (10) days of receiving a written request from you, make available PHI necessary for you to respond to Individuals’ requests for access to PHI about them in the event that the PHI in menMD’s possession constitutes a Designated Record Set;
i. Within fifteen (15) days of receiving a written request from you, make PHI available for amendment and incorporate any amendment to the PHI in accordance with the Privacy Rule in the event that the PHI in menMD’s possession constitutes a Designated Record Set;
j. To the extent that menMD is to carry out an obligation of yours under the Privacy Rule, menMD shall comply with the requirements of the Privacy Rule that apply to you in the performance of such obligation; and
k. Promptly report to you any Breach of Unsecured PHI after its Discovery and any Security Incident with respect to Electronic PHI of which it becomes aware; provided, however, that menMD shall not be obligated to report unsuccessful attempts to penetrate computer networks or servers that do not result in loss of data or degradation of computer networks or services. To the extent a determination has been made that patient notification is required in a breach involving menMD, both parties agree to cooperate on the notification language.
4. Your Obligations.
You agree that you:
a. Have included, and will include, in your Notice of Privacy Practices required by the Privacy Rule that you may Disclose PHI in a manner allowed in the Underlying Agreements and/or Health Care Operations purposes.
b. Have obtained, and will obtain, from Individuals consents, authorizations and other permissions necessary or Required by Law applicable to you for menMD and you to fulfill their obligations under the Underlying Agreements and this BAA.
c. Will promptly notify menMD in writing of any restrictions on the Use and Disclosure of PHI about Individuals that you have agreed to that may affect menMD’s ability to perform its obligations under the Underlying Agreement or this BAA.
d. Will promptly notify menMD in writing of any changes in, or revocation of, permission by an Individual to Use or Disclose PHI, if such changes or revocation may affect menMD’s ability to perform its obligations under the Underlying Agreement or this BAA.
a. Termination for Breach. You and menMD may each terminate this BAA, in whole or in part, by giving written notice as described below if either of us (the “Terminating Party”) determines that the other party (the “Non-Terminating Party”) has breached a material term of this BAA. Alternatively, the Terminating Party may choose to provide the Non-Terminating Party with notice of the existence of an alleged material breach and provide the Non Terminating Party an opportunity to cure the alleged material breach within a specified period.
If no cure period was provided or if the Non-Terminating Party fails to cure the breach to the satisfaction of the Terminating Party within the cure period provided, the Terminating Party may immediately thereafter terminate this BAA with respect to, in its discretion, all Underlying Agreements or only the Underlying Agreement with respect to which the breach occurred. Such termination shall be effective as of the date specified in a written notice given by the Terminating Party to the Non-Terminating Party (the “Termination Notice”). The Termination Notice shall be given as required in the Underlying Agreement.
b. Automatic Termination. This BAA will automatically terminate upon the termination or expiration of the Underlying Agreement but only with respect to the PHI that was Used or Disclosed pursuant to the Underlying Agreement that has expired or terminated.
c. Effect of Termination.
i. If this BAA is completely terminated, it will result in the termination of all Underlying Agreement(s) pursuant to which PHI was disclosed subject to this BAA. If this BAA is terminated only in part, then only the Underlying Agreements related to the terminated portion of this BAA shall be terminated.
ii. Upon termination of this BAA or the Underlying Agreement(s), to the extent that menMD then retains any PHI, menMD will return or destroy all PHI received from you or created or received by menMD on behalf of you with respect to the portion of this BAA and the Underlying Agreement(s) being terminated and menMD will retain no copies of such PHI; provided that if such return or destruction is not feasible, menMD will extend the protections of this BAA to such PHI and limit further Uses and Disclosures to those purposes that make the return or destruction of the information infeasible.
a. menMD and you agree to take such action as is necessary to amend this BAA from time to time as is necessary for you and/or menMD to comply with the requirements of HIPAA, the Privacy Rule, the Security Rule and the HITECH provisions as currently in effect and as they may be amended from time to time in the future, including any interpretations thereof under federal law (each a “Change in Law”).
b. To the extent necessary to amend this BAA to include specific language to enable you and/or menMD to comply with any Change in Law, such language shall automatically be deemed incorporated by reference and included in this BAA as of the date required by such Change in Law.
c. Notwithstanding Sections 6.a and 6.b above, if a party to this BAA (an “Objecting Party”) deems compliance with any Change in Law to be impractical or likely to materially increase its costs, risks or obligations under this BAA or any of the Underlying Agreements, the Objecting Party may give written notice to the other party describing its concerns. Upon receipt of such notice, the parties shall negotiate in good faith to develop an amendment to address the concerns of the Objecting Party. If such an amendment is not executed within thirty (30) days of such notice, the Objecting Party may terminate this BAA by written notice to the other party and shall not have any obligation hereunder for early termination.
The obligations of menMD under Section 5.c (ii) of this BAA shall survive any termination of this BAA.
Notwithstanding anything contained herein to the contrary, the provisions provided herein are not intended to restrict or prevent menMD from fulfilling its obligation, if any, to make certain disclosures to public officials (including CMS), in cases of immediate jeopardy/imminent harm or a good faith belief that you has engaged in conduct that is unlawful, violates professional or clinical standards or potentially endangers one or more patients, workers or the public as allowable under the Privacy Rule (45 C.F.R. §164.502 (j)).
9. No Third Party Beneficiaries.
Nothing express or implied in this BAA is intended to confer, nor shall anything herein confer, upon any person other than the parties and their respective successors or assigns, any rights, remedies, obligations or liabilities whatsoever.
10. Independent Contractor.
Unless and to the extent otherwise expressly provided in an Underlying Agreement, each party is an independent contractor of the other. The parties note that this characterization of their relationship is consistent with the Omnibus Rule. (See commentary to the Omnibus Rule at 78 Fed. Reg. 5581-5582.).
11. Entire Agreement.
This BAA constitutes the entire understanding and obligation of the parties with respect to the subject matter hereof and supersedes any prior agreements, writings or understandings, whether oral or written with respect to the subject matter hereof.