BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement (“Agreement”) is by and between eForms Mobile, Inc., an Indiana corporation having its principal place of business in Russiaville, Indiana (“eForms Mobile” or “Business Associate”) and the Client (“Client” or “Covered Entity”) named in the Order Form under the applicable Services Agreement (as defined below). The parties desire through this Agreement to amend the applicable Services Agreement consistent with the requirements of the Health Insurance Portability and Accountability Act of 1996, as it may be amended from time to time (“HIPAA”), including the regulatory revisions implemented pursuant to the Health Information Technology for Economic and Clinical Health Act (the “HITECH ACT”). This Agreement becomes effective on the date on which the Order Form entered into by the parties takes effect (“Effective Date”). This Agreement replaces any earlier business associate agreement(s) entered into between the parties.
WHEREAS, Client and Business Associate are parties to a subscription agreement (the “Services Agreement,” as further defined below) pursuant to which Business Associate provides to Client, through hosted software as a service solutions, access to and use of certain hosted online and mobile form design, connector and other software, as ordered by Client from time to time under the Services Agreement (the “Services,” as further defined below) to Client;
WHEREAS, the parties desire to ensure that their respective rights and responsibilities under the Services Agreement reflect applicable federal statutory and regulatory requirements relating to the access, use and disclosure of health information, including without limitation, the Standards for Privacy of Individually Identifiable Health Information, and the Security Standards, collectively codified at 45 C.F.R. Parts 160, 162 and 164 (respectively the “Privacy Standards” and “Security Standards”) under HIPAA;
WHEREAS, because Client is a covered entity under HIPAA, the Privacy Standards and Security Standards require Covered Entity to obtain adequate written assurances with contractors that create, receive, access, maintain, use or disclose PHI for or on behalf of such Covered Entity; and
WHEREAS, the online Services offered eForms Mobile may be used by Client to store certain PHI (though typically not electronic medical records or Designated Record Sets); and
WHEREAS, eForms Mobile and Client are willing to agree to the business associate terms set forth below, in order to facilitate Covered Entity’s access and transmission of information to and from the eForms Mobile hosted systems provided as part of the Services, as authorized by and under certain other conditions described in the Services Agreement.
NOW, THEREFORE, for good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the parties hereby amend their Services Agreement by agreement to the following:
(a) General. Capitalized terms used in this Agreement and not otherwise defined herein shall have the same meanings as defined in the Privacy Standards or Security Standards and corresponding official materials published, issued, or promulgated by the Secretary of the Department of Health and Human Services. “Protected Health Information” (or “PHI”) shall have the same meaning as the term “protected health information” in 45 C.F.R. § 160.103, limited to the information actually received by eForms Mobile from or on behalf of Covered Entity in connection with the Services Agreement.
(b) Specific Definitions. As used herein:
“Services” means the specific Services ordered by Client from eForms Mobile from time to time from the menu of Services then offered by eForms Mobile. For clarification, such Services do not include either (i) any general obligation to supervise, oversee or consult with Client for the purposes of advising Client on, or ensuring Client’s compliance with, HIPAA, the HITECH Act and HIPAA Regulations, or (ii) any services offered by a eForms Mobile partner to the Client.
“Services Agreement” means the current or any future agreement between Client and Business Associate under which Business Associate provides the Services to Client which involve the use or disclosure of Protected Health Information.
- OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE
(a) Use and Disclosure. To the extent (if any) that eForms Mobile creates, transmits, maintains or receives any PHI behalf of Client, including any Electronic PHI, eForms Mobile agrees to:
(i) maintain the privacy and security of such PHI and not to use or disclose PHI other than as permitted or required to satisfy its obligations under the Services Agreement, or as permitted herein, or as Required by Law;
(ii) use appropriate safeguards to prevent the use or disclosure of the PHI other than as permitted under this Agreement;
(iii) implement or maintain administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of Electronic PHI;
(iv) ensure that any agent, including a subcontractor, to whom eForms Mobile provides Electronic PHI, agrees to implement reasonable and appropriate safeguards to protect such Electronic PHI; and
(v) to promptly report to Client any use or disclosure of PHI not permitted by this Agreement of which Business Associate becomes aware (including Breaches of Unsecured PHI as required at 45 CFR 164.410) and any Security Incident that eForms Mobile becomes aware of; provided however, that the parties acknowledge and agree that this Section 2(a) constitutes notice by eForms Mobile to Covered Entity of the ongoing existence and occurrence or attempts of Unsuccessful Security Incidents for which no additional notice to Covered Entity shall be required. “Unsuccessful Security Incidents” means, without limitation, pings and other broadcast attacks on eForms Mobile’s firewall, port scans, unsuccessful log-on attempts, denial of service attacks, and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of PHI.
(b) Agents. eForms Mobile shall obtain and maintain an agreement with each agent or subcontractor that has or will have access to PHI. That agreement will require each such agent or subcontractor to be bound by the same restrictions, terms and conditions that apply to eForms Mobile with respect to such PHI. Further each agent or subcontractor will agree to report to eForms Mobile any instances of which it is aware of violation of the agreement with respect to PHI.
(c) Access to Designated Record Sets. To the extent (if any) that Business Associate possesses and maintains a Designated Record Set for Covered Entity, Business Associate agrees to:
(i) provide access, at the request of Client, and in the time and manner mutually agreed between Business Associate and Client, to PHI in a Designated Record Set, to Client or, as directed by Client, to an Individual in order to satisfy Client’s obligations under 45 CFR § 164.524; and
(ii) to make any amendment(s) to PHI in a Designated Record Set as directed or agreed to by the Client pursuant to 45 CFR § 164.526, and in the time and manner mutually agreed between Business Associate and Client (provided that the amendment of an Individual’s PHI and all decisions related thereto shall be the sole responsibility of Client).
(iii) Accounting. Business Associate agrees to make available to Client information regarding disclosures made by Business Associate for which an accounting is required under 45 C.F.R. Section 164.528 so Client can meet its requirements to provide an accounting to an individual in accordance with 45 CFR 164.528. .
(d) Access to Books and Records. Business Associate agrees to make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary for purposes of determining compliance with the HIPAA Rules.
- PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE
(a) Services Agreement. Except as otherwise limited by this Agreement, Business Associate may use or disclose PHI as necessary to perform the Services for Client as specified in the Services Agreement, provided that such use or disclosure would not violate the Privacy Rule if done by Client and is subject to the minimum necessary policies and procedures of the Client.
(b) Disclosure for Administration of Business Associate. Except as otherwise limited by this Agreement, Business Associate may disclose PHI for the proper management and administration of the Business Associate, provided that (i) disclosures are Required by Law, or (ii) Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
(c) Reporting Violations. Business Associate may use PHI to report violations of law to appropriate Federal and State authorities, consistent with 45 CFR § 164.502(j)(1).
- OBLIGATIONS OF CLIENT
(a) Limitations in Notice of Privacy Practices. Client shall notify Business Associate of any limitation(s) in the notice of privacy practices of Client under 45 CFR § 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI.
(b) Restrictions to the Use or Disclosure of PHI. Client shall notify Business Associate of any restriction to the use or disclosure of PHI that Client has agreed to in accordance with 45 CFR § 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.
(c) Permissible Use Requests. Except for the permitted uses set forth in Section 3, Client will not request Business Associate to use or disclose PHI in any manner that would not be permissible under Subpart E of 45 CFR Part 164 if done by Client.
- TERM AND TERMINATION
(a) Term and Termination. The term of this Agreement shall be the same as the term of the Services Agreement. Upon Client’s knowledge of a material breach of this Agreement by eForms Mobile, Client shall notify eForms Mobile of the breach in writing, and shall provide an opportunity for EForms Mobile to cure the breach or end the violation within thirty (30) business days of such notification; provided, that if eForms Mobile fails to cure the breach or end the violation within such time period to the satisfaction of Client, Client shall have the right to immediately terminate this Agreement and the Services Agreement upon written notice to eForms Mobile. In the event that termination of this Agreement is not feasible as mutually agreed to by eForms Mobile and Client, eForms Mobile hereby acknowledges that Client shall have the right to report the breach to the Secretary. This Agreement will be effective as of the date set forth on the signature page.
(b) Effect of Termination. Upon termination of this Agreement, for any reason, Business Associate shall return or destroy all PHI received from Client, or received by Business Associate on behalf of Client. This provision shall apply to PHI that is in the possession of subcontractors or agents of Business Associate. Business Associate shall retain no copies of the PHI. In the event that Business Associate determines that returning or destroying the PHI is infeasible, Business Associate shall provide to Client notification of the conditions that make return or destruction infeasible. Upon mutual agreement of the Parties that return or destruction of PHI is infeasible, Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI.
(a) Regulatory References. A reference in this Agreement to a section in the HIPAA Rules means the section as in effect or as amended or modified from time to time.
(b) Amendment. No alteration, amendment, or modification of the terms of this Agreement shall be valid or effective unless in writing and signed by EForms Mobile and Client.
(c) Miscellaneous. The terms of this Agreement are hereby incorporated into the Services Agreement. In the event of a conflict between the terms of this Agreement and the terms of the Services Agreement, the terms of this Agreement will prevail.