BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement, (“BA Agreement”), is by and between you or the entity you represent (referred to herein as “you”, “your”, or “Covered Entity”), within the meaning as defined at 45 CFR 160.103) and Lifecycle Health Inc. (referred to herein as the “Business Associate”, within the meaning as defined at 45 CFR 160.103).
This BA Agreement takes effect with respect to the HIPAA Account (as defined below) on the date when you click an “Accept Lifecycle Health Business Associate Agreement and Designate HIPAA Account” button (or other electronic means made available by Lifecycle Health for such purpose) presented with this Agreement (the “Agreement Effective Date”). You represent to Lifecycle Health that you are lawfully able to enter into contracts (e.g., you are not a minor). If you are entering into this Addendum for an entity, such as the company you work for, you represent to AWS that you have legal authority to bind that entity.
WHEREAS, Covered Entity and Business Associate are parties to an arrangement pursuant to which Business Associate shall provide certain services to Covered Entity as further set forth in the Terms of Service found at http://www.lifecyclehealth.com/terms (the “Terms of Service”) and incorporated by reference. In connection with Business Associate’s services, Business Associate may assist in the performance of a function or activity involving the use or disclosure of individually identifiable health information, which information is subject to protection under the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164 (collectively referred to herein as the “HIPAA Rules”); and
[IF APPLICABLE] WHEREAS, Covered Entity operates a drug and alcohol treatment program that must comply with the Federal Confidentiality of Alcohol and Drug Abuse Patient Records law and regulations, 42 U.S.C. §290dd-2 and 42 C.F.R. Part 2 (“42 C.F.R. Part 2”);
[IF APPLICABLE] WHEREAS, Business Associate is also a Qualified Service Organization (“QSO”) under 42 C.F.R. Part 2 and must agree to certain mandatory provisions regarding the use and disclosure of substance abuse treatment information; and
WHEREAS, in light of the foregoing and the requirements of HIPAA Rules, Business Associate and Covered Entity agree to be bound by the following terms and conditions:
NOW, THEREFORE, for good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the parties agree as follows:
1. General Definitions. The following terms used in this Agreement shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Electronic Protected Health Information, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Protected Health Information, Required By Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use.
2. Obligations and Activities of BusinessAssociate.
a. Use and Disclosure. Business Associate agrees not to use or disclose Protected Health Information other than as permitted or required by this BA Agreement, the Terms of Service or as Required By Law. Business Associate shall comply with the provisions of this BA Agreement and the Terms of Service relating to privacy and security of Protected Health Information and all present and future provisions of the HIPAA Rules that relate to the privacy and security of Protected Health Information and that are applicable to Covered Entity and/or Business Associate.
b. Appropriate Safeguards. Business Associate agrees to use appropriate safeguards to prevent the use or disclosure of the Protected Health Information other than as provided for by this BA Agreement or the Terms of Service. Without limiting the generality of the foregoing sentence, Business Associate will:
(i) Comply with its administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of Electronic Protected Health Information as required by the HIPAARules;
(ii) Ensure that any agent, including a subcontractor, to whom Business Associate provides Electronic Protected Health Information agrees to implement reasonable and appropriate safeguards to protect Electronic Protected Health Information;
(iii) Report in writing to Covered Entity without unreasonable delay any Security Incident of which Business Associate becomes aware as well as any use or disclosure of Protected Health Information of which it becomes aware not provided for by the BA Agreement. In addition, Business Associate agrees to report in writing to Covered Entity without unreasonable delay following the discovery of any Breach as required at 45 CFR 164.410;
(iv) Comply with its Breach notification policy that reasonably and appropriately identifies any potential Breach of the HIPAA Rules by Business Associate and/or to the extent Business Associate has knowledge of, by Covered Entity, and provides procedure for proper response and notification of any such Breach as required by the HIPAA Rules and any other applicable Federal or State laws; and
(v) Notify Covered Entity in writing without unreasonable delay of discovery if the Business Associate knows of a pattern of activity or practice of a subcontractor or agent that Business Associate believes constitutes a material breach or violation of the subcontractor or agent’s obligations under HIPAA pertaining to Covered Entity’s PHI, and Business Associate must take reasonable steps to cure the breach or end the violation. If the steps are unsuccessful, Business Associate agrees to terminate the arrangement with the subcontractor or agent.
c. Mitigation. Business Associate agrees to reasonably mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate or its employees, officers or agents in violation of the requirements of this BA Agreement (including, without limitation, any Security Incident or Breach of Unsecured Protected Health Information). Business Associate agrees to reasonably cooperate and coordinate with Covered Entity in the investigation of any violation of the requirements of this BA Agreement and/or any Security Incident or Breach. Business Associate shall also reasonably cooperate and coordinate with Covered Entity in the preparation of any reports or notices to the Individual, a regulatory body or any third party required to be made under HIPAA Rules, or any other Federal or State laws, rules or regulations, provided that any such reports or notices shall be subject to the prior written approval of Covered Entity.
d. Agents. Business Associate shall ensure that any agent, including a subcontractor, to whom it provides Protected Health Information received from, or created or received by, Business Associate on behalf of Covered Entity agrees to the same restrictions and conditions that apply through this BA Agreement to Business Associate with respect to such information.
e. Access to Designated Record Sets. To the extent that Business Associate possesses or maintains Protected Health Information in a Designated Record Set, Business Associate agrees to provide access, at the request of Covered Entity and in accordance with the Terms of Service, and in the time and manner designated by the Covered Entity, to Protected Health Information in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under HIPAA Rules. If an Individual makes a request for access to Protected Health Information directly to Business Associate, Business Associate shall notify Covered Entity of the request within three (3) business days of such request and will cooperate with Covered Entity and allow Covered Entity to send the response to theIndividual.
f. Amendments to Designated Record Sets. To the extent that Business Associate possesses or maintains Protected Health Information in a Designated Record Set, Business Associate agrees to make any amendment(s) to Protected Health Information in a Designated Record Set that the Covered Entity directs or agrees to pursuant to HIPAA Rules at the request of Covered Entity or an Individual, and in the time and manner designated by the Covered Entity. If an Individual makes a request for an amendment to Protected Health Information directly to Business Associate, Business Associate shall notify Covered Entity of the request within three business (3) days of such request and will cooperate with Covered Entity and allow Covered Entity to send the response to the Individual.
g. Access to Books and Records. Business Associate agrees to make its internal practices, books, and records, including policies and procedures and Protected Health Information, relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of, Covered Entity available to the Covered Entity, or to the Secretary, in a time and manner designated by the Covered Entity or designated by the Secretary, for purposes of the Secretary determining Covered Entity’s compliance with the Privacy Rule during the term of this BA Agreement and for a period of six (6) years after termination hereof.
h. Accountings. Business Associate agrees to document such disclosures of Protected Health Information and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with the HIPAARules.
i. Requests for Accountings. Business Associate agrees to provide to Covered Entity or an Individual, in the time and manner designated by the Covered Entity, information collected in accordance with this BA Agreement, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with the HIPAA Rules. If an Individual makes a request for an accounting directly to Business Associate, Business Associate shall notify Covered Entity of the request within three business (3) days of such request and will cooperate with Covered Entity and allow Covered Entity to send the response to the Individual.
3. Permitted Uses and Disclosures by Business Associate.
a. Required For Provision of Services. Except as otherwise limited in this BA Agreement or the Terms of Service, Business Associate may use or disclose Protected Health Information to perform functions, activities, or services for, or on behalf of, Covered Entity as reasonably required in performing its services to Covered Entity, provided that such use or disclosure would not violate the HIPAA Rules if done by Covered Entity or the minimum necessary policies and procedures of the Covered Entity. To the degree required for provision of services hereunder and under the Terms of Service, Business Associate may de-identify information received from Covered Entity for such purposes as would not violate the HIPAA Rules if done by Covered Entity or the minimum necessary policies and procedures of the Covered Entity.
b. Use for Administration of Business Associate. Except as otherwise limited in this BA Agreement or the Terms of Service, Business Associate may use Protected Health Information for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate.
c. Disclosure for Administration of Business Associate. Except as otherwise limited in this BA Agreement or the Terms of Service, Business Associate may make uses and disclosures and requests for Protected Health Information for the proper management and administration of the Business Associate, provided that (i) disclosures are Required by Law, (ii) disclosures are consistent with the Covered Entity’s minimum necessary policies and procedures, or (iii) Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
4. Obligations and Activities of Qualified Service Organization.
To the extent that Business Associate is also considered a Qualified Service Organization (“QSO”), with access to protected substance abuse treatment information, Business Associate agrees to the following:
In receiving, storing, processing or otherwise dealing with any protected substance abuse information from Covered Entity, Business Associate is fully bound by the provisions of the federal regulations governing Confidentiality of Alcohol and Drug Abuse Patient Records, 42 C.F.R. Part 2.
If necessary, Business Associate will resist in judicial proceedings any efforts to obtain access to protected substance abuse information unless access is expressly permitted under 42 C.F.R. Part 2.
Business Associate acknowledges that any unauthorized disclosure of information under this section is a federal criminal offense.
5. Covered Entity Notification of Privacy Practices andRestrictions.
a. Limitation(s) in Privacy Policies. Covered Entity shall notify Business Associates of any limitation(s) in its notice of privacy practices, to the extent that any such limitation may affect Business Associate’s uses or disclosure of Protected Health Information.
b. Changes/Revocation of Permission. Covered Entity shall notify Business Associate of any changes in, or revocation of, the permission by an Individual to use or disclose Protected Health Information, to the extent that such changes may affect Business Associate’s use or disclosure of protected health information.
c. Restriction of Protected Health Information. Covered Entity shall notify Business Associate of any restriction on the use or disclosure of protected health information that covered entity has agreed to or is required to abide by under the HIPAA Rules, to the extent that such restriction may affect Business Associate’s use or disclosure of protected health information.
6. Permissible Requests by Covered Entity. Except as otherwise Required By Law, the Terms of Service or set forth herein, Covered Entity shall not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity.
7. Term and Termination.
a. Term. This BA Agreement shall be effective as of the date of this BA Agreement and shall terminate upon the earlier of the termination of the Services or effective date of Termination for Cause.
b. Termination for Cause. Business Associate authorizes termination of this BA Agreement by Covered Entity, if Covered Entity determines Business Associate has violated a material term of the BA Agreement and Business Associate shall take reasonable steps to cure the breach or end the violation as soon as possible.
c. Obligations of Business Associate Upon Termination. Upon termination of this BA Agreement for any reason, Business Associate, with respect to Protected Health Information received from Covered Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity, shall, unless otherwise stated in the Terms ofService:
(i) Retain only that Protected Health Information which is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities;
(ii) Return to Covered Entity, or, if agreed to by Covered Entity, destroy, the remaining Protected Health Information that the Business Associate still maintains in any form;
(iii) Continue to use appropriate safeguards and comply the HIPAA Rules with respect to Electronic Protected Health Information to prevent use or disclosure of the Protected Health Information, other than as provided for in this Section, for as long as Business Associate retains the Protected Health Information;
(iv) Not use or disclose the Protected Health Information retained by Business Associate other than for the purposes for which such Protected Health Information was retained and subject to the same conditions set out in Section 3 which applied prior to termination; and
(v) Return to covered entity, or, if agreed to by covered entity, destroy the Protected Health Information retained by Business Associate when it is no longer needed by Business Associate for its proper management and administration or to carry out its legal responsibilities.
(vi) Business Associate shall ensure that these termination Obligations (6.c) are likewise imposed by Business Associate upon any subcontractors that create, receive or maintain any of Covered Entity’s Protected Health Information.
d. Survival. The obligations of Business Associate under this Section 6 shall survive the termination of this BAAgreement.
8. Compliance with HIPAA Transaction Standards. When providing its services and/or products, Covered Entity and Business Associate shall comply with all applicable HIPAA Rules standards and requirements with respect to the transmission of Electronic Protected Health Information in connection with any transaction for which the Secretary has adopted a standard under HIPAA (“Covered Transactions”). Covered Entity and Business Associate each represents and warrants that it is aware of all current HIPAA standards and requirements regarding Covered Transactions, and Covered Entity and Business Associate shall comply with any modifications to the HIPAA Rules which may become effective from time to time. Covered Entity and Business Associate each agree that such compliance shall be at its sole cost and expense, which expense shall not be passed on to the other party in any form, including, but not limited to, increased fees. Covered Entity and Business Associate shall require all of its agents and subcontractors (if any) who assist Covered Entity and Business Associate in providing its services and/or products to comply with the terms of this Section 8.
a. Necessary Consents. Covered Entity warrants that it will obtain any necessary authorizations, consents, and other permissions that may be required under applicable law prior to placing Covered Entity content, including without limitation PHI, in the Lifecycle Health service.
b. Identification of the HIPAA Account: By clicking an “Accept Lifecycle Health BAA and Designate HIPAA Account” button (or other electronic means made available by Lifecycle Health for such purpose) presented with this Addendum, you have identified the account that you used to log in to Lifecycle Health service to accept this Addendum as an account that contains “protected health information” as defined in 45 C.F.R. § 160.103.
9. Miscellaneous.
a. Regulatory References. A reference in this BA Agreement to a section in the HIPAA Rules means the section as in effect or as amended or modified from time to time, including any corresponding provisions of subsequent superseding laws or regulations.
b. Amendment. The Parties agree to take such action as is necessary to this BA Agreement from time to time as is necessary for Covered Entity to comply with the requirements of the HIPAA Rules and any other applicable law.
c. Interpretation. Any ambiguity in this Agreement shall be resolved to permit Covered Entity to comply with the HIPAARules.
d. Miscellaneous. This BA Agreement shall be governed by, and construed in accordance with the laws of the State of Michigan, exclusive of conflict of law rules. Each party to this BA Agreement hereby agrees and consents that any legal action or proceeding with respect to this BA Agreement shall only be brought in the courts of the state of Michigan. This BA Agreement and the Terms of Service constitute the entire agreement between the parties with respect to the subject matter contained herein, and this BA Agreement supersedes and replaces any former business associate agreement or addendum entered into by the parties. This BA Agreement may be executed in counterparts, each of which when taken together shall constitute one original. Any PDF or facsimile signatures to this BA Agreement shall be deemed original signatures to this BA Agreement. No amendments or modifications to the BA Agreement shall be effected unless executed by both parties in writing, which acceptance may be made electronically through the Lifecycle Health Acceptance button or through other electronic means made available by AWS for such purpose.
e. LitigationorAdministrativeProceedings. BusinessAssociateshallnotifyCovered Entity within forty-eight (48) hours of any litigation or administrative proceedings commenced against Business Associate or its agents or subcontractors related to Covered Entity’s PHI. In addition, Business Associate shall make itself, and any subcontractors, employees and agents assisting Business Associate in the performance of its obligations pursuant to the Underlying Agreement or this Agreement, available to Covered Entity, at no cost to Covered Entity, to testify as witnesses, or otherwise, in the event of litigation or administrative proceedings being commenced against Covered Entity, its directors, officers or employees based upon a claimed violation of HIPAA or other State or Federal laws relating to security and privacy, except where Business Associate or its subcontractor, employee or agent is a named adverse party.
f. Survival. The following terms and provisions shall survive termination of this Agreement for any reasons: Sections 2, 7.c, and Sections 10.d, e, f and g.
4852-9928-9901, v. 12
Business Associate Agreement NC (online) v 2020-1.0
[Remainder of Page Intentionally Left Blank]