BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement ("Agreement") is entered into by and between the undersigned entity ("Covered Entity") and Savvy Agents LLC ("Business Associate"), collectively referred to as the "Parties."
1. DEFINITIONS
Terms used but not otherwise defined in this Agreement shall have the same meaning as those terms in the HIPAA Rules (45 CFR Parts 160 and 164).
(a) "Protected Health Information" or "PHI" means individually identifiable health information transmitted or maintained in any form or medium, as defined in 45 CFR § 160.103.
(b) "Electronic Protected Health Information" or "ePHI" means PHI that is transmitted by or maintained in electronic media, as defined in 45 CFR § 160.103.
(c) "HIPAA Rules" means the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Parts 160 and 164.
2. OBLIGATIONS OF BUSINESS ASSOCIATE
Business Associate agrees to:
(a) Not use or disclose PHI other than as permitted or required by this Agreement or as required by law.
(b) Use appropriate safeguards and comply with the Security Rule to prevent unauthorized use or disclosure of ePHI.
(c) Report to Covered Entity any use or disclosure of PHI not provided for by this Agreement, including any security incident or breach of unsecured PHI, within 30 days of discovery.
(d) Ensure that any agent, including a subcontractor, to whom Business Associate provides PHI agrees to the same restrictions and conditions that apply to Business Associate.
(e) Make available PHI in a designated record set to Covered Entity or individual as required under 45 CFR § 164.524.
(f) Make available PHI for amendment and incorporate any amendments to PHI in a designated record set as required under 45 CFR § 164.526.
(g) Maintain and make available the information required to provide an accounting of disclosures as required under 45 CFR § 164.528.
(h) Make internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of HHS for purposes of determining compliance.
3. PERMITTED USES AND DISCLOSURES
(a) Business Associate may use or disclose PHI as necessary to perform functions, activities, or services for Covered Entity as specified in the underlying service agreement, provided that such use or disclosure does not violate the HIPAA Rules.
(b) Business Associate may use PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate.
(c) Business Associate may de-identify PHI in accordance with 45 CFR § 164.514(a)-(c).
4. OBLIGATIONS OF COVERED ENTITY
Covered Entity shall:
(a) Inform Business Associate of any limitation(s) in the notice of privacy practices in accordance with 45 CFR § 164.520.
(b) Inform Business Associate of any changes in, or revocation of, the permission by an individual to use or disclose their PHI.
(c) Notify Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 CFR § 164.522.
5. TERM AND TERMINATION
(a) This Agreement shall be effective as of the date signed and shall terminate when all PHI is destroyed or returned, or if not feasible, protections are extended in accordance with this Agreement.
(b) Either Party may terminate this Agreement if the other Party has materially breached this Agreement and failed to cure the breach within 30 days of written notice.
(c) Upon termination, Business Associate shall return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity.
6. MISCELLANEOUS
(a) This Agreement shall be governed by and construed in accordance with applicable federal and state law.
(b) This Agreement may be amended only by written agreement signed by both Parties.
(c) Any ambiguity in this Agreement shall be interpreted to permit compliance with the HIPAA Rules.
This Business Associate Agreement ("Agreement") is entered into by and between the undersigned entity ("Covered Entity") and Savvy Agents LLC ("Business Associate"), collectively referred to as the "Parties."
1. DEFINITIONS
Terms used but not otherwise defined in this Agreement shall have the same meaning as those terms in the HIPAA Rules (45 CFR Parts 160 and 164).
(a) "Protected Health Information" or "PHI" means individually identifiable health information transmitted or maintained in any form or medium, as defined in 45 CFR § 160.103.
(b) "Electronic Protected Health Information" or "ePHI" means PHI that is transmitted by or maintained in electronic media, as defined in 45 CFR § 160.103.
(c) "HIPAA Rules" means the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Parts 160 and 164.
2. OBLIGATIONS OF BUSINESS ASSOCIATE
Business Associate agrees to:
(a) Not use or disclose PHI other than as permitted or required by this Agreement or as required by law.
(b) Use appropriate safeguards and comply with the Security Rule to prevent unauthorized use or disclosure of ePHI.
(c) Report to Covered Entity any use or disclosure of PHI not provided for by this Agreement, including any security incident or breach of unsecured PHI, within 30 days of discovery.
(d) Ensure that any agent, including a subcontractor, to whom Business Associate provides PHI agrees to the same restrictions and conditions that apply to Business Associate.
(e) Make available PHI in a designated record set to Covered Entity or individual as required under 45 CFR § 164.524.
(f) Make available PHI for amendment and incorporate any amendments to PHI in a designated record set as required under 45 CFR § 164.526.
(g) Maintain and make available the information required to provide an accounting of disclosures as required under 45 CFR § 164.528.
(h) Make internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of HHS for purposes of determining compliance.
3. PERMITTED USES AND DISCLOSURES
(a) Business Associate may use or disclose PHI as necessary to perform functions, activities, or services for Covered Entity as specified in the underlying service agreement, provided that such use or disclosure does not violate the HIPAA Rules.
(b) Business Associate may use PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate.
(c) Business Associate may de-identify PHI in accordance with 45 CFR § 164.514(a)-(c).
4. OBLIGATIONS OF COVERED ENTITY
Covered Entity shall:
(a) Inform Business Associate of any limitation(s) in the notice of privacy practices in accordance with 45 CFR § 164.520.
(b) Inform Business Associate of any changes in, or revocation of, the permission by an individual to use or disclose their PHI.
(c) Notify Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 CFR § 164.522.
5. TERM AND TERMINATION
(a) This Agreement shall be effective as of the date signed and shall terminate when all PHI is destroyed or returned, or if not feasible, protections are extended in accordance with this Agreement.
(b) Either Party may terminate this Agreement if the other Party has materially breached this Agreement and failed to cure the breach within 30 days of written notice.
(c) Upon termination, Business Associate shall return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity.
6. MISCELLANEOUS
(a) This Agreement shall be governed by and construed in accordance with applicable federal and state law.
(b) This Agreement may be amended only by written agreement signed by both Parties.
(c) Any ambiguity in this Agreement shall be interpreted to permit compliance with the HIPAA Rules.