This Business Associate Agreement (“Agreement”) is made and entered, by and between healthcare provider (together with its affiliates, “Provider”) and the Nest Health Tech Inc., with a principal business address of 251 Little Falls Drive, Wilmington, Delaware 19808, USA (“Business Associate”).
WHEREAS, the parties have entered into a business relationship whether by contract, commercial course of dealing, or otherwise, whereby Business Associate provides certain services to PROVIDER and Business Associate receives, has access to, creates, maintains, or transmits information that may be protected health information in order to provide such services; and
WHEREAS, the Provider has not provided its own Business Associate Agreement for exchange of personal health information, and in the absence of a Provider form, Business Associate and Provider agree to comply with and be bound by the terms hereof;
WHEREAS, whether or not PROVIDER is a “Covered Entity” or a "Business Associate" as defined by the Health Insurance Portability and Accountability Act of 1996, as amended (“HIPAA”), the parties desire to conduct themselves for purposes hereof as if PROVIDER is a Covered Entity;
WHEREAS, whether or not required to do so by law, PROVIDER and Business Associate intend to protect the privacy and provide for the security of protected health information disclosed to Business Associate in compliance with HIPAA, the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), and regulations promulgated thereunder, and as may be amended from time to time (collectively the “Privacy and Security Regulations”), and other applicable laws; and
WHEREAS, whether or not required by the Privacy and Security Regulations, PROVIDER and Business Associate desire to enter into this contract containing specific requirements as set forth in the Privacy and Security Regulations;
NOW, THEREFORE, in consideration of the foregoing, and for other good and valuable consideration, the receipt and adequacy of which is hereby acknowledged, the parties agree as follows:
1.1. “Privacy Rule” means the Standards of Privacy of Individually Identifiable Health Information at 45 C.F.R. Subparts 160 and 164, A and E.
1.2. “Security Rule” means the Standards for the Security of Electronic Protected Health Information at 45 C.F.R. part 164, Subparts A and C.
1.3. “Services” means those activities, functions, or services that Business Associate provides for, or on behalf of PROVIDER, provided that such activities, functions or services would not violate the Privacy and Security Regulations if done by PROVIDER as a Covered Entity.
1.4. Terms used but not otherwise defined in this Agreement shall have the same meaning as those terms in the Privacy and Security Regulations.
2. Assurances by Business Associate Regarding PHI. Business Associate agrees that, whether or not PROVIDER is a “Covered Entity” as defined by HIPAA, PROVIDER shall be deemed for the purposes hereof a Covered Entity and Business Associate will comply with relevant portions of the Privacy and Security Regulations as those regulations apply to business associates and business associate subcontractors with respect to the Services. More specifically, and insofar that Business Associate has access to, receives, maintains, transmits, or will be creating PHI regarding PROVIDER’s patients, Business Associate agrees to the terms provided herein.
3. Permitted Uses and Disclosures of PHI. Business Associate shall Use and Disclose PHI in the amount minimally necessary to perform the Services for or on behalf of PROVIDER, provided that such Use or Disclosure would not violate the Privacy and Security Regulations if done by PROVIDER. Further, Business Associate:
i. shall Disclose PHI received from PROVIDER or created in connection with the Services to PROVIDER, upon request, in order to enable PROVIDER to meet its legal obligations as a Covered Entity;
ii. may Use PHI as necessary for the proper management and administration of its business or to carry out its legal responsibilities. Business Associate may also Use and Disclose PHI if:
(a) the Disclosure is required by law, or
(b) Business Associate obtains reasonable assurance from the person to whom the PHI is Disclosed that the PHI will be held confidentially and Used or further Disclosed only as required by law or for the purpose for which it was Disclosed to the person, and the person agrees to notify Business Associate of any instances of which the person is aware in which the confidentiality of the PHI has been breached. Business Associate shall not Use or Disclose PHI for any other purpose.
iii. use PHI in its possession to provide data aggregation services relating to the Services and to health care operations of the PROVIDER as the Covered Entity; or
iv. de-identify any and all PHI in accordance with 45 CFR. § 164.514(b). PROVIDER acknowledges and agrees that de-identified information is not PHI and that Business Associate may use such de-identified information for any lawful purpose.
4. Prohibition on the Sale of PHI. Business Associate shall not directly or indirectly receive remuneration in exchange for any of PROVIDER’s PHI, except from PROVIDER for the performance of the Services, unless PROVIDER or Business Associate obtain a valid, signed authorization from the individual whose PHI is at issue and that specifies whether the PHI can be further exchanged for remuneration by the entity receiving the PHI, except as otherwise permitted by the Privacy and Security Regulations.
5. Adequate Safeguards for PHI.
5.1. Business Associate shall implement and maintain appropriate safeguards to prevent the Use or Disclosure of PHI in any manner other than permitted by this Agreement.
5.2. Business Associate shall implement administrative, physical, and technical safeguards set forth in the Security Regulations that reasonably and appropriately protect the confidentiality, integrity, and availability of Electronic PHI that it creates, receives, maintains, or transmits on behalf of PROVIDER to prevent use or disclosure of the information other than as provided for by this Agreement.
5.3. Business Associate shall maintain policies and procedures, conduct ongoing risk assessment and risk management of its security program, identify a security official, train and discipline its work force in compliance with the relevant portions of the Privacy and Security Regulations. Business Associate agrees to make its policies and procedures, risk assessments, and training and education documents available to PROVIDER upon PROVIDER’s request.
6. Availability of Internal Practices, Books and Records to Government Agencies. Business Associate agrees to make its internal practices, policies and procedures, books, and records relating to the Use and Disclosure of PHI available to the Secretary for purposes of determining PROVIDER’s compliance with the Privacy and Security Regulations. Business Associate shall immediately notify PROVIDER of any such requests made by the Secretary and provide PROVIDER with copies of any such documents produced in response to such request.
7. Access to PHI.
7.1. Business Associate shall make PHI maintained by Business Associate in a designated record set available to PROVIDER, or as directed by PROVIDER, to the individual identified as being entitled to access and copy that PHI, within the time frame and in a manner specified by PROVIDER, subject to the Privacy and Security Regulations.
7.2. If Business Associate uses or maintains Electronic PHI, Business Associate must provide access to such PHI in an electronic format if so requested by an individual if the PHI is readily producible in such form or format; or if not, in a readable copy form or such other form and format as agreed by the individual, PROVIDER, and Business Associate, in all cases, subject to the Privacy and Security Regulations.
8. Amendment of PHI. Business Associate shall make PHI maintained by Business Associate in a designated record set available to PROVIDER for the purpose of amendment and incorporating such amendments into PHI within the time and in such a manner specified by PROVIDER.
9. Accounting of Disclosures. Upon PROVIDER’s request, Business Associate shall provide to PROVIDER an accounting of each Disclosure of PHI made by Business Associate or its employees, agents, representatives, or subcontractors.
9.1. Business Associate shall implement a process that allows for an accounting to be collected and maintained for any Disclosure of PHI for which PROVIDER is required to maintain. Business Associate shall include in the accounting: (a) the date of the Disclosure; (b) the name, and address if known, of the entity or person who received the PHI; (c) a brief description of the PHI disclosed; and (d) a brief statement of the purpose of the Disclosure. For each Disclosure that requires an accounting under this section, Business Associate shall document the information specified in (a) through (d), above, and shall securely retain this documentation for six (6) years from the date of the Disclosure.
9.2. For repetitive Disclosures of PROVIDER’s PHI that Business Associate makes for a single purpose to the same person or entity, the Disclosure information that Business Associate must record is either the Disclosure information specified above for each accountable Disclosure, or (a) the Disclosure information specified above for the first of the repetitive accountable Disclosure; (b) the frequency, periodicity, or number of the repetitive accountable Disclosures; and (c) the date of the last of the repetitive accountable Disclosures.
10. Reporting Breaches, Unauthorized Use or Disclosure of PHI, and Security Incidents.
10.1. Business Associate shall report to PROVIDER:
i. Any Security Incident of which it becomes aware, including
1. Breach of PHI; or
2. Each access, acquisition, Use, or Disclosure of PHI that is made by Business Associate, its employees, representatives, agents, or subcontractors that is not specifically permitted by this Agreement.
10.2. Business Associate shall notify PROVIDER of Business Associate’s subcontractor or agent’s Breach of PHI, Unauthorized Use or Disclosure of PHI, or any Security Incident involving PROVIDER’s PHI as set forth in Section 11.1 below.
10.3 The provisions of this Section 10 shall apply, mutatis mutandis, to PROVIDER as a Covered Entity to the extent it becomes of a Breach of PHI, Unauthorized Use, Disclosure of PHI or a Security Incident in connection with the Services.
11. Business Associate’s Notice to PROVIDER.
11.1. Business Associate shall notify PROVIDER’s Privacy Official by telephone call "without unreasonable delay" but no later than 60 days after discovery and/or notification of the Breach, Unauthorized Use or Disclosure, or Security Incident, as required by law.
11.2. Business Associate shall notify PROVIDER of all Breaches, even if Business Associate determines there is a low probability that the PHI has been compromised based on its risk assessment.
11.3. Business Associate shall provide a full written report to PROVIDER’s Privacy Official "without unreasonable delay" but no later than 60 days after discovery and/or notification of the breach, as required by law. Business Associate shall include the following in the written report, to the extent the information is known:
i. nature of the Breach or Unauthorized Use or Disclosure of PHI, or Security Incident, which will include a description of what occurred, including the date of the Breach and the date of the discovery of the Breach and whether the PHI was actually acquired or reviewed;
ii. Identify each individual in PROVIDER’s PHI that was subject to, or reasonably believed to be subject to, the Breach, Unauthorized Use or Disclosure of PHI, or Security Incident including name, demographic information, social security number, and other information involved including types of identifiers and likelihood of re-identification;
iii. Identify who made the Breach, Unauthorized Use or Disclosure of PHI, or Security Incident and who received the PHI;
iv. The corrective action or mitigation effort the Business Associate took or will take to prevent further Breaches, Unauthorized Uses or Disclosures of PHI, or Security Incidents;
v. The steps the individuals who are the subject of a Breach should take to protect themselves; and
vi. Additional information as PROVIDER may reasonably request.
11.4 The provisions of Section 11 shall apply, mutatis mutandis, to PROVIDER with respect to any Breach, Unauthorized Use or Disclosure of PHI or Security Incident that occurred with respect to PHI provided to PROVIDER in connection with the Services.
12. Authorization for Electronic Disclosure of PHI. Business Associate shall ensure that it has obtained an Individual’s authorization for the electronic disclosure of PHI prior to the electronic disclosure except when made pursuant to this Agreement and for treatment, payment or health care operations as defined by HIPAA.
13. Request for electronic health record. If an individual requests in writing a copy of the individual’s electronic health record, to the extent legally permissible, Business Associate shall provide the electronic health record to the Individual within thirty (30) business days of receiving the request and in electronic format unless the individual consents otherwise.
14. Training of Business Associate’s Employees. Business Associate shall provide a training program to its employees regarding HIPAA/HITECH and applicable law concerning PHI as necessary and appropriate for the employees to carry out their job duties. Such training shall occur within ninety (90) days of hire of a new employee. In the event of a material change in the applicable law concerning protected health information that affects the employee’s duties, the training described above shall be provided within one year from the effective date of the change. Business Associate shall maintain documentation of each employee’s signed verification of attendance in such training program, maintain the signed verification of attendance for six (6) years from the date it is signed, and provide this documentation to PROVIDER upon request pursuant to this Agreement.
15. Notices. Any notice required under this Agreement to be given to a party shall be made to:
If to Business Associate If to PROVIDER:
Nest Health Tech Inc. At the address provided by Provider to Business Associate.
Attention: Privacy Officer
16. Mitigation and Cooperation. Each party shall mitigate, at its sole cost and expense, any harmful effect that is known to it for the Breach, or Use, or Disclosure of PHI, or a Security Incident by such party in violation of this Agreement. The non-breaching party shall be solely responsible to conduct a Breach risk assessment to determine whether PHI has been compromised and notification to individuals is required. Business Associate shall cooperate with PROVIDER in the notification of individuals as required and in the manner as set forth in the Privacy and Security Regulations.
17. Remedies in Event of Breach of PHI. In the event of a Breach, Unauthorized Use or Disclosure of PHI, or Security Incident by a party, the non-breaching party shall be entitled to seek to enjoin and restrain the breaching party from any continued violation of this Agreement.
17.1. Notification costs related to Breach of PHI. In the event of a Breach of PHI caused by a party, the costs related to notifying the affected individuals shall be borne by the breaching party. Such costs, if appropriate and reasonable under the circumstances, may include and may not be limited to the actual cost of notification, setting-up and managing a toll-free number, and credit monitoring.
18. Indemnification. Each party shall indemnify, defend, and hold harmless the other party, its directors, officers, employees, and agents from and against any and all claims, actions, demands, liabilities, judgments, losses, damages, penalties, fines, costs, fees, expenses, and reasonable attorney’s fees (collectively, the “Losses”) that are attributable to the acts or omissions of the indemnifying party or indemnifying party’s material breach of this Agreement.
NOWITHSTANDING THE AFORESAID, IN NO EVENT SHALL EITHER PARTY HAVE ANY LIABILITY TO THE OTHER PARTY FOR ANY LOST PROFITS OR REVENUES OR FOR ANY INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, COVER OR PUNITIVE DAMAGES HOWEVER CAUSED, WHETHER IN CONTRACT, TORT (INCLUDING NEGLIGENCE) OR UNDER ANY OTHER THEORY OF LIABILITY, AND WHETHER OR NOT SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES AND NOTWITHSTANDING ANY FAILURE OF THE ESSENTIAL PURPOSE OF THIS AGREEMENT OR ANY LIMITED REMEDY HEREUNDER. IN ADDITION, IN NO EVENT SHALL THE AGGREGATE LIABILITY OF EITHER PARTY ARISING OUT OF OR RELATED TO THIS AGREEMENT, WHETHER IN CONTRACT, TORT (INCLUDING NEGLIGENCE) OR UNDER ANY OTHER THEORY OF LIABILITY, EXCEED A TOTAL AMOUNT OF $50,000, NOTWITHSTANDING ANY FAILURE OF THE ESSENTIAL PURPOSE OF THIS AGREEMENT OR ANY LIMITED REMEDY HEREUNDER.
19. PROVIDER Obligations. PROVIDER shall notify Business Associate of:
19.1. Any limitations in PROVIDER’s notice of privacy practices to the extent that such limitation may affect Business Associate’s Use or Disclosure of PHI;
19.2. Any changes in, or revocation of, permission by the individual to Use or Disclose PHI, to the extent that such changes may affect Business Associate’s Use or Disclosure of PHI; and
19.3. Any restriction to the Use or Disclosure of PHI that PROVIDER has agreed to provide to the individual, to the extent that such restriction may affect the Business Associate’s Use or Disclosure of PHI.
19.4. PROVIDER shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy and Security Regulations if done by PROVIDER as a Covered Entity.
20. Disposition of PHI Upon Termination or Expiration. Upon termination or expiration of this Agreement, Business Associate shall either return or destroy, all PHI in the possession or control of Business Associate and its subcontractors and agents. However, if either return or destruction of PHI is not feasible, Business Associate may retain PHI provided that Business Associate (a) continues to comply with the provisions of this Agreement for as long as it retains PHI, and (b) limits further Uses and Disclosures of PHI to those purposes that make the return or destruction of PHI infeasible.
21. Document Retention. Business Associate shall maintain all documentation required by the Privacy and Security Regulations for the period set forth in the Privacy and Security Regulations.
22. Conflict. In the event there is a conflict between the language of this Agreement and the underlying services agreement between the parties, the terms and conditions of this Agreement shall control.
23. No Third-Party Beneficiaries. There are no third-party beneficiaries to this Agreement.
24. Independent Contractor. PROVIDER and Business Associate expressly acknowledge and agree that Business Associate is an independent contractor and shall not for any purpose be deemed to be an agent, employee, servant, partner, or joint venture of PROVIDER.
25. Use of Subcontractors and Agents. Business Associate agrees to ensure that any subcontractors and agents that create, receive, maintain, or transmit PROVIDER’s PHI on behalf of Business Associate agree in writing to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information. Moreover, Business Associate agrees to ensure any such subcontractor or agent agrees to implement reasonable and appropriate safeguards to protect PROVIDER’s Electronic PHI.
26. Term and Termination. This Agreement is effective as of the Effective Date and it will continue in effect until termination or expiration of all underlying agreements. In addition to and notwithstanding the termination provisions set forth in the underlying services agreement, both this Agreement and the underlying services agreement may be terminated by either party immediately and without penalty upon written notice by to the other party if a party determines, in its sole discretion, that the other party has violated any material term of this Agreement. The terms and conditions of this Agreement shall survive the expiration or termination of the underlying services agreement.
27. Interpretation. Any ambiguity in this Agreement shall be resolved to permit the parties to comply with the Privacy and Security Regulations.
INTENDED TO BE LEGALLY BOUND, the parties agree to the terms hereof as of the first date on which they exchange personal health information.