Legal Notice: This template is provided as a starting point for healthcare clients requiring a HIPAA Business Associate Agreement with KAITALK. Review with qualified legal counsel before execution. This document does not constitute legal advice.
This HIPAA Business Associate Agreement ("Agreement") is entered into as of ("Effective Date"), between:
Covered Entity: ("Covered Entity"), a organized under the laws of , and
Business Associate: KAITALK, a product of Polsia Inc., a Delaware corporation, with its principal place of business at the address on file ("Business Associate" or "BA").
Covered Entity and Business Associate are referred to herein individually as a "Party" and collectively as the "Parties."
This Agreement is incorporated into and made a part of the underlying service agreement between the Parties (the "Service Agreement"). In the event of a conflict between this Agreement and the Service Agreement regarding the subject matter herein, this Agreement shall control.
Capitalized terms used but not otherwise defined herein shall have the meanings ascribed to them under HIPAA.
"Breach" means the acquisition, access, use, or disclosure of Protected Health Information in a manner not permitted under the HIPAA Privacy Rule which compromises the security or privacy of the PHI, as defined in 45 C.F.R. § 164.402.
"Business Associate" shall have the meaning given to such term under the Privacy Rule, the Security Rule, and the Breach Notification Rule, including, without limitation, 45 C.F.R. § 160.103.
"Electronic Protected Health Information" or "ePHI" means Protected Health Information that is transmitted by, or maintained in, electronic media, as defined in 45 C.F.R. § 160.103.
"HIPAA" means the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, and all regulations promulgated thereunder, including the Privacy Rule (45 C.F.R. Parts 160 and 164), the Security Rule (45 C.F.R. Parts 160 and 164), and the Breach Notification Rule (45 C.F.R. Parts 160 and 164).
"Privacy Rule" means the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. Parts 160 and 164, Subparts A and E.
"Protected Health Information" or "PHI" means individually identifiable health information transmitted or maintained in any form or medium, as defined in 45 C.F.R. § 160.103, limited to the PHI that Business Associate creates, receives, maintains, or transmits on behalf of Covered Entity.
"Security Rule" means the Security Standards for the Protection of Electronic Protected Health Information at 45 C.F.R. Parts 160 and 164, Subparts A and C.
"Subcontractor" means a person or entity who acts on behalf of the Business Associate, other than in the capacity of a member of the Business Associate's workforce, as defined in 45 C.F.R. § 160.103.
Business Associate may use or disclose PHI only as necessary to perform the services described in the Service Agreement on behalf of Covered Entity, and only in a manner consistent with this Agreement and the requirements of HIPAA. Specifically, Business Associate may:
Business Associate shall use, disclose, or request only the minimum PHI necessary to accomplish the intended purpose of the use, disclosure, or request.
Business Associate may use PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate, provided that disclosures are required by law or Business Associate obtains reasonable assurances that the information will remain confidential and that any breaches will be promptly reported.
Business Associate shall not:
Business Associate shall implement and maintain appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of PHI (including ePHI) that it creates, receives, maintains, or transmits on behalf of Covered Entity, in accordance with the requirements of the Security Rule (45 C.F.R. §§ 164.308, 164.310, 164.312).
Business Associate shall report to Covered Entity:
Notice shall be provided to Covered Entity's designated Privacy Officer at the contact information provided by Covered Entity.
Business Associate shall mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of this Agreement.
Business Associate shall ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees, in writing, to the same restrictions, conditions, and requirements that apply to Business Associate under this Agreement, pursuant to 45 C.F.R. § 164.504(e)(2)(ii)(D) and § 164.308(b). Business Associate remains liable for the acts and omissions of its Subcontractors to the same extent as it would be for its own acts and omissions.
To the extent Business Associate maintains PHI in a designated record set, Business Associate shall make such PHI available to Covered Entity as necessary for Covered Entity to fulfill its obligations to provide individuals with access to their PHI pursuant to 45 C.F.R. § 164.524. If an individual requests access to PHI directly from Business Associate, Business Associate shall promptly forward such request to Covered Entity.
To the extent Business Associate maintains PHI in a designated record set, Business Associate shall make such PHI available for amendment and shall incorporate any amendments to PHI as directed by Covered Entity pursuant to 45 C.F.R. § 164.526.
Business Associate shall document and make available to Covered Entity the information required for Covered Entity to respond to an individual's request for an accounting of disclosures of PHI as required by 45 C.F.R. § 164.528. Business Associate shall maintain such records for a minimum of six (6) years from the date of the disclosure.
Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Covered Entity available to the Secretary of the U.S. Department of Health and Human Services (HHS) for purposes of determining Covered Entity's compliance with HIPAA, pursuant to 45 C.F.R. § 164.504(e)(2)(ii)(H).
Business Associate shall implement and maintain appropriate workforce training programs on HIPAA compliance policies and procedures, and shall take appropriate disciplinary action against workforce members who violate this Agreement or HIPAA requirements.
Covered Entity shall:
This Agreement shall be effective as of the Effective Date and shall remain in effect until terminated as provided herein or until the Service Agreement expires or is terminated, whichever is earlier.
Either Party may terminate this Agreement, and the Service Agreement, if the other Party materially breaches any provision of this Agreement. The non-breaching Party shall provide written notice of such breach to the breaching Party. The breaching Party shall have 30 calendar days from receipt of such notice to cure the breach. If the breach is not cured within the 30-day period, the non-breaching Party may immediately terminate this Agreement and the Service Agreement upon written notice to the breaching Party.
If termination is not feasible, the non-breaching Party shall report the problem to the Secretary of HHS.
Upon expiration or termination of this Agreement for any reason:
Each Party shall be responsible for and shall indemnify, defend, and hold harmless the other Party from and against any and all claims, losses, damages, penalties, fines, and expenses (including reasonable attorneys' fees) arising out of or relating to that Party's own violations of HIPAA, this Agreement, or applicable law. Neither Party shall be liable for the other Party's violations.
The Parties agree to take such action as is necessary to amend this Agreement from time to time as necessary for compliance with the requirements of HIPAA, the Privacy Rule, the Security Rule, and any other applicable law. Business Associate shall promptly implement any modifications required by regulatory changes and shall notify Covered Entity of material changes that affect obligations under this Agreement.
This Agreement shall be governed by and construed in accordance with the applicable provisions of Federal law, including HIPAA and the HITECH Act, and, where not preempted by Federal law, the laws of the state in which the Covered Entity is organized, without giving effect to any choice of law or conflict of law rules or provisions.
This Agreement, together with the Service Agreement and any exhibits or schedules attached hereto, constitutes the entire agreement of the Parties with respect to its subject matter and supersedes all prior and contemporaneous negotiations, representations, warranties, and agreements of the Parties with respect to such subject matter.
No amendment, modification, or supplement to this Agreement shall be effective unless set forth in a written instrument duly executed by authorized representatives of both Parties.
If any provision of this Agreement is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect, and the invalid or unenforceable provision shall be modified to the minimum extent necessary to make it valid and enforceable.
Nothing in this Agreement, express or implied, is intended to or shall confer upon any person or entity (other than the Parties and their respective successors and permitted assigns) any legal or equitable right, benefit, or remedy of any nature whatsoever under or by reason of this Agreement.
The respective rights and obligations of Business Associate under Sections 4, 5.7, 5.8, 7.3, and 8.1 of this Agreement shall survive the termination of this Agreement.
This Agreement may be executed in one or more counterparts, each of which shall constitute an original, and all of which together shall constitute one and the same Agreement. Electronic signatures shall be deemed valid and enforceable to the same extent as original signatures.
The Parties have executed this Agreement as of the Effective Date first written above. Each signatory represents that he or she is duly authorized to execute this Agreement on behalf of the respective Party.