Business Associate Agreement
This BUSINESS ASSOCIATE AGREEMENT (“BAA”) is entered into by and between Provider, as defined in the Therapist Terms and Conditions (“Covered Entity”), and Total Life Inc. and its affiliated companies (referred to herein as “Business Associate”) pursuant to the Therapist Terms and Conditions Provider has agreed to. The Effective Date of this BAA shall be date Provider has agreed to this BAA through the Total Life Inc. Therapist Platform Registration.
WHEREAS, the U.S. Department of Health and Human Services (“HHS”) has promulgated privacy and security requirements reflecting the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), Public Law 104-191; and the American Recovery and Reinvestment Act of 2009 (the “ARR Act”), including, without limitation, the requirements of the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), which is part thereof, enacted and established additional provisions for written business associate agreements and required these additional provisions be incorporated into all business associate agreements;
WHEREAS, the HIPAA Rules provide that a Covered Entity is permitted to disclose Protected Health Information (“PHI”) to a Business Associate only if the Covered Entity has first obtained “satisfactory assurances,” in the form of a written contract requiring that the business associate will appropriately safeguard such PHI;
WHEREAS, Business Associate will be providing services to the Covered Entity as described in the Agreement (“Services”);
WHEREAS, Business Associate may, in the course of providing the Services to the Covered Entity, receive, create, use, and/or disclose PHI on Covered Entity’s behalf which would create a business associate relationship between the Parties, thus necessitating a written contract that meets the applicable requirements of the HIPAA Rules.
NOW THEREFORE, in consideration of the mutual promises contained herein and to the extent the Services create a business associate relationship between the Parties, Covered Entity and Business Associate (each a “Party” and together the “Parties”) agree as follows:
Definitions. Terms used, but not otherwise defined, in this Agreement shall have the same meaning as set forth in the Privacy Rule, the Security Rule (as both are defined below) and/or the security and privacy provisions of the ARR Act and the HITECH Act that are applicable to business associates along with any regulations issued by HHS with respect to the ARR Act and the HITECH Act that relate to the obligations of agents and subcontractors of business associates.
Electronic Protected Health Information or ePHI shall have the meaning given such term in 45 C.F.R. § 160.103, but limited to the information received from or created on behalf of Covered Entity by Business Associate to perform the Services.
HIPAA Rules shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 C.F.R. Part 160 and Part 164.
“Individual” shall have the same meaning as the term “individual” in 45 CFR §160.103 and shall include a person who qualifies as a personal representative in accordance with 45 CFR §164.502(g).
“Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR Part 160 and Part 164, Subparts A and E.
Protected Health Information or PHI shall have the meaning given such term in 45 C.F.R. § 160.103, but limited to the information received from or created on behalf of Covered Entity by Business Associate to perform the Services.
“Security Rule” shall mean the Standards for Security of Individually Identifiable Health Information at 45 CFR Part 160 and Part 164, Subparts A and C.
2. Permitted Uses and Disclosures by Business Associate.
Business Associate may use and disclose PHI only as follows:
Business Associate may use or disclose PHI in order to perform its obligations under the Agreement relating to providing the Services.
Business Associate may use or disclose PHI as Required By Law.
Business Associate may use PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of Business Associate.
Business Associate may disclose PHI for the proper management and administration of Business Associate, provided that – (1) the disclosures are Required by Law, or (2) Business Associate obtains reasonable assurances from the entity to which the information is disclosed that it will be held confidential and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the entity, and the entity notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
Business Associate may use PHI to provide data aggregation services to Covered Entity.
Business Associate may use PHI to create de-identified information as defined by 45 C.F.R. §164.514(b). The Parties agree that once PHI is de-identified, it is no longer subject to this BAA.
Business Associate may use PHI to create a limited data set as defined by 45 C.F.R. §164.514(e)(2) and use and disclose such limited data set pursuant to 45 C.F.R. §164.514(e)(1).
Business Associate may use and disclose PHI for research purposes pursuant to a HIPAA compliant authorization form from the Individual or as permitted by and pursuant to 45 C.F.R. §164.512(i).
Business Associate agrees to use reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request pursuant to 45 C.F.R. § 164.502(b).
3. Obligations and Activities of Business Associate.
Business Associate agrees to:
not use or disclose PHI other than as permitted or required by this BAA or as Required By Law.
use commercially reasonable and appropriate safeguards, and comply with Subpart C of 45 C.F.R. Part 164 with respect to electronic PHI, to prevent use or disclosure of PHI other than as provided for by this BAA.
in accordance with 45 C.F.R. § 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, to ensure that any Subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to the same restrictions, conditions, and requirements that apply to the business associate with respect to such information.
report, within twenty (20) days of becoming aware, to Covered Entity any use or disclosure of the PHI not provided for by this BAA, any Breaches of Unsecured PHI as required at 45 C.F.R. 164.410, and any successful Security Incident of which it becomes aware. Successful Security Incidents shall not include pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, Use or Disclosure of PHI.
mitigate, to the extent practicable, any harmful effect that is, or becomes, known of a use or disclosure of PHI by the Business Associate or any of its employees, agents, contractors or subcontractors in violation of the requirements of this BAA, the Privacy Rule, ARR Act or HITECH Act.
implement and use appropriate policies and procedures for the identification and notification of Breach. Business Associate does not maintain medical records for the Covered Entity. The Covered Entity is expected to maintain all copies of records contained in Business Associate’s systems and make them available to Individuals as necessary to satisfy Covered Entity’s obligation under 45 C.F.R. § 164.524. To the extent that Business Associate does maintain PHI in a Designated Record Set that is not also maintained by the Covered Entity, Business Associate will provide a copy of PHI directly to the Individual or the Individual’s designee upon request.
make any amendment(s) to PHI in a Designated Record Set as directed or agreed to by the Covered Entity pursuant to 45 C.F.R. § 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under C.F.R. § 164.526.
maintain and make available the information required to provide an accounting of disclosures to the Individual as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. § 164.528.
comply with the requirements of Subpart E of 45 C.F.R. Part 164 to the extent Business Associate is to carry out one or more of Covered Entity’s obligations under Subpart E of 45 C.F.R. Part 164.
make its internal practices, books, and records, including policies and procedures, relating to the use and disclosure of PHI available to the Secretary, in a time and manner reasonably designated by the Secretary, for purposes of having the Secretary determine Covered Entity’s compliance with the Privacy Rule.
4. Obligations of Covered Entity.
To Inform of Privacy Practices and Restrictions:
Covered Entity shall notify Business Associate in writing of any limitation(s) in the Notice of Privacy Practices of Covered Entity under 45 C.F.R. § 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI.
Covered Entity shall notify Business Associate in writing of any changes in, or revocation of, the permission by an Individual to use or disclose his or her PHI, to the extent that such changes may affect Business Associate’s use or disclosure of PHI.
Covered Entity shall notify Business Associate in writing of any restriction on the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 C.F.R. § 164.522, to the extent that such restriction may affect Business Associate’s use or disclose of PHI.
Representations by Covered Entity.
Covered Entity represents that it has the right and authority to disclose PHI to Business Associate to enable Business Associate to perform its obligations and provide services to
Covered Entity. Except as otherwise permitted in this BAA, Covered Entity shall not request that or permit Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity.
5. Term and Termination.
Term. This BAA shall take effect on the Effective Date and shall terminate when the Agreement terminates.
Termination for Cause. Both Parties agree that this BAA may be terminated by either Party upon breach of a material term of the BAA. The non-breaching Party shall: provide the breaching Party the opportunity to cure the breach or end the violation within fifteen (15) days; and if cure of such breach is not possible or if the breaching Party does not cure the breach or end the violation within fifteen (15) days, terminate the BAA.
Effect of Termination.
Upon termination of this BAA for any reason, Business Associate shall:
Retain only that PHI which is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities;
Destroy the remaining PHI that Business Associate still maintains in any form; Continue to use appropriate safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to electronic PHI to prevent use or disclosure of the PHI, other than as provided for in this section, for as long as Business Associate retains the PHI;
Not use or disclose the PHI retained by Business Associate other than for the purposes for which such PHI was retained and subject to the same conditions set out at section 2(c) and 2(d) which applied prior to termination; and Destroy the PHI retained by Business Associate when it is no longer needed by Business Associate for its proper management and administration or to carry out its legal responsibilities.
The obligations of Business Associate under this section 5 shall survive the termination of this BAA.
Regulatory References. Any reference in this BAA to a section of the HIPAA Rules means the section as in effect or as amended.
Amendment. The Parties agree to take such action as is necessary to amend this BAA from time to time as is necessary for compliance with the requirements of the HIPAA Rules and any other applicable law.
Interpretation. Any ambiguity in this BAA shall be interpreted to permit compliance with the HIPAA Rules.
No Third-Party Beneficiaries. Nothing expressed or implied in this BAA is intended to confer, nor shall anything in the BAA be deemed to confer, upon any person other than the Parties and their respective successors or assigns, any rights, remedies, obligations, or liabilities whatsoever.
Governing Law. This BAA shall be governed by and construed in accordance with the laws of the State of Florida
Last Updated and Effective: November 20, 2020