THIS BUSINESS ASSOCIATE AGREEMENT ("Agreement") is entered into as of the date of electronic acceptance ("Effective Date") by and between:
Covered Entity: The healthcare provider accepting this Agreement ("Covered Entity" or "You")
Business Associate: Genograms.net ("Business Associate" or "We")
WHEREAS, Covered Entity and Business Associate have entered into or intend to enter into an arrangement whereby Business Associate may receive, create, maintain, or transmit Protected Health Information ("PHI") on behalf of Covered Entity;
WHEREAS, the parties intend to comply with the requirements of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the Health Information Technology for Economic and Clinical Health Act ("HITECH Act"), and their implementing regulations, including the Standards for Privacy of Individually Identifiable Health Information and Security Standards for the Protection of Electronic Protected Health Information (collectively, the "HIPAA Rules");
NOW, THEREFORE, the parties agree as follows:
Terms used but not otherwise defined in this Agreement shall have the same meaning as defined in the HIPAA Rules (45 CFR Parts 160 and 164).
1.1 "Breach" means the acquisition, access, use, or disclosure of PHI in a manner not permitted under the HIPAA Privacy Rule which compromises the security or privacy of the PHI, subject to the exceptions set forth in 45 CFR §164.402.
1.2 "Electronic Protected Health Information" or "ePHI" means PHI that is transmitted by or maintained in electronic media as defined in the HIPAA Security Rule.
1.3 "Protected Health Information" or "PHI" means individually identifiable health information as defined in 45 CFR §160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity.
1.4 "Security Incident" means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system as defined in the HIPAA Security Rule.
2.1 Permitted Uses and Disclosures. Business Associate shall not use or disclose PHI other than as permitted or required by this Agreement or as Required by Law.
2.2 Safeguards. Business Associate shall implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the ePHI that it creates, receives, maintains, or transmits on behalf of Covered Entity. Specifically, Business Associate shall:
2.3 Reporting. Business Associate shall report to Covered Entity any use or disclosure of PHI not permitted by this Agreement, any Breach of Unsecured PHI, and any Security Incident of which it becomes aware, without unreasonable delay and in no case later than 60 calendar days after discovery.
2.4 Subcontractors. Business Associate shall ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to the same restrictions and conditions that apply to Business Associate under this Agreement.
2.5 Access to PHI. Business Associate shall make available PHI in a Designated Record Set to Covered Entity or, as directed by Covered Entity, to an individual, as necessary to satisfy Covered Entity's obligations under 45 CFR §164.524.
2.6 Amendment of PHI. Business Associate shall make PHI available for amendment and incorporate any amendments to PHI as directed by Covered Entity, as necessary to satisfy Covered Entity's obligations under 45 CFR §164.526.
2.7 Accounting of Disclosures. Business Associate shall make available the information required for Covered Entity to provide an accounting of disclosures as necessary to satisfy Covered Entity's obligations under 45 CFR §164.528. Business Associate shall maintain audit logs for a minimum of six (6) years.
2.8 Government Access. Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of HHS for purposes of determining compliance with the HIPAA Rules.
2.9 Minimum Necessary. Business Associate shall limit its use, disclosure, or request of PHI to the minimum necessary to accomplish the intended purpose, in accordance with 45 CFR §164.502(b) and §164.514(d).
3.1 Covered Entity shall notify Business Associate of any limitations in its notice of privacy practices, any changes in or revocation of permission by an individual regarding the use or disclosure of their PHI, and any restrictions on the use or disclosure of PHI that Covered Entity has agreed to.
3.2 Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would violate the HIPAA Rules.
4.1 Business Associate shall, following the discovery of a Breach of Unsecured PHI, notify Covered Entity without unreasonable delay and in no case later than 30 calendar days after discovery.
4.2 Such notification shall include:
5.1 Term. This Agreement shall be effective as of the Effective Date and shall terminate when all PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity.
5.2 Termination for Cause. Either party may terminate this Agreement if the other party materially breaches any provision of this Agreement and such breach is not cured within 30 calendar days of written notice.
5.3 Effect of Termination. Upon termination, Business Associate shall, if feasible, return or destroy all PHI received from or created on behalf of Covered Entity. If return or destruction is not feasible, Business Associate shall extend the protections of this Agreement to the retained PHI and limit further uses and disclosures to the purposes that make return or destruction infeasible.
6.1 Regulatory References. A reference in this Agreement to a section in the HIPAA Rules means the section as in effect or as amended.
6.2 Amendment. The parties agree to negotiate in good faith any amendment to this Agreement that is necessary to ensure compliance with changes in law.
6.3 Survival. The respective rights and obligations of Business Associate under Sections 2 and 5.3 shall survive the termination of this Agreement.
6.4 Interpretation. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits the parties to comply with the HIPAA Rules.
By checking the "I have read and agree to the Business Associate Agreement" checkbox during provider registration on Genograms.net, you acknowledge that you have read, understood, and agree to be bound by all terms and conditions of this Business Associate Agreement. This electronic acceptance constitutes a legally binding signature under the ESIGN Act (15 U.S.C. §7001 et seq.) and UETA.
Upon acceptance, the following data is recorded as your binding signature: the exact timestamp, your IP address, your email/account ID, and the specific version of this BAA.