1. PREAMBLE AND DEFINITIONS.
1.1 Pursuant to the Health Insurance Portability and Accountability Act of 1996, as amended (“HIPAA”), the covered entity identified below (“Covered Entity”) and Hoot Health Inc. or any of its affiliates (“Business Associate”), enter into this Business Associate Agreement (“BAA”) as of the date signed below (the “Effective Date”) that addresses the HIPAA requirements with respect to “business associates,” as defined under the privacy, security, breach notification, and enforcement rules at 45 C.F.R. Part 160 and Part 164 (“HIPAA Rules”). A reference in this BAA to a section in the HIPAA Rules means the section as in effect or as amended.
1.2 This BAA is intended to ensure that Business Associate will establish and implement appropriate safeguards for the Protected Health Information (as defined under the HIPAA Rules) that Business Associate may receive, create, maintain, use, or disclose in connection with the functions, activities, and services that Business Associate performs for Covered Entity (“PHI”). The functions, activities, and services that Business Associate performs for Covered Entity are defined in the Covered Entity’s service order or account with Business Associate (“Service Order”) and the Hoot Terms of Service (together, the Service Order and Terms of Service are referred to as the “Underlying Agreement”).
1.3 Pursuant to changes required under the Health Information Technology for Economic and Clinical Health Act of 2009 (the “HITECH Act”) and under the American Recovery and Reinvestment Act of 2009 (“ARRA”), this BAA also reflects federal breach notification requirements imposed on Business Associate when “Unsecured PHI” (as defined under the HIPAA Rules) is acquired by an unauthorized party, and the expanded privacy and security provisions imposed on business associates.
1.4 Unless the context clearly indicates otherwise, the following terms in this BAA shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, disclosure, Electronic Media, Electronic Protected Health Information (ePHI), Health Care Operations, individual, Minimum Necessary, Notice of Privacy Practices, Required By Law, Secretary, Security Incident, Subcontractor, Unsecured PHI, and use.
1.5 A reference in this BAA to the Privacy Rule means the Privacy Rule, in conformity with the regulations at 45 C.F.R. Parts 160-164 (the “Privacy Rule”) as interpreted under applicable regulations and guidance of general application published by HHS, including all amendments thereto for which compliance is required, as amended by the HITECH Act, ARRA, and the HIPAA Rules.
2. GENERAL OBLIGATIONS OF BUSINESS ASSOCIATE.
2.1 Business Associate agrees not to use or disclose PHI, other than as permitted or required by this BAA or as Required By Law.
2.2 Business Associate agrees to use appropriate safeguards, and comply with Subpart C of 45 C.F.R. Part 164 with respect to ePHI, to prevent use or disclosure of PHI other than as provided for by the BAA.
2.3 Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate as a result of a use or disclosure of PHI by Business Associate in violation of this BAA’s requirements or that would otherwise cause a Breach of Unsecured PHI.
2.4 Business Associate agrees to the following breach notification requirements:
a. Business Associate agrees to report to Covered Entity any Breach of Unsecured PHI or other use or disclosure of PHI not provided for by the BAA of which it becomes aware within 30 calendar days of “discovery” within the meaning of the HITECH Act. Such notice shall include the identification of each individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed in connection with such Breach. Business Associate also shall provide any additional information reasonably requested by Covered Entity for purposes of investigating the Breach and any other available information that Covered Entity is required to include to the individual under 45 C.F.R. § 164.404(c) at the time of notification or promptly thereafter as information becomes available. If the Breach of Unsecured PHI results or arises from Covered Entity’s act, omission, or breach of the Underlying Agreement (for example, Covered Entity fails to secure its access credentials to Business Associates’ systems), then Covered Entity shall pay or reimburse Business Associate for the time spent by Business Associate preparing the notice and providing the information required under this Section 2.4(a) at Business Associate’s then-standard or other reasonable professional services rate and any related costs reasonably incurred by Business Associate.
b. In the event of Business Associate’s use or disclosure of Unsecured PHI in violation of HIPAA, the HITECH Act, or ARRA, Business Associate bears the burden of demonstrating that notice as required under this 2.4 was made, including evidence demonstrating the necessity of any delay, or that the use or disclosure did not constitute a Breach of Unsecured PHI.
2.5 Business Associate agrees, in accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, to require that any Subcontractors that create, receive, maintain, or transmit PHI on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information.
2.6 Covered Entity shall be responsible for responding to any individual’s request related to PHI (“Request”), including access to and amendment of the individual’s Designated Record Set pursuant to 45 C.F.R. § 164.526 and accounting of disclosures pursuant to 45 C.F.R. § 164.528.
a. If Business Associate receives a Request, it will inform Covered Entity of the Request and inform the individual to make the Request directly to Covered Entity.
b. Business Associate agrees to maintain and document Business Associate’s disclosures, other than to Covered Entity, of PHI and Breaches of Unsecured PHI and any information relating to the disclosure of PHI and Breach of Unsecured PHI in a manner as would be required for Covered Entity to respond to a request by an individual or the Secretary for an accounting of PHI disclosures and Breaches of Unsecured PHI.
c. If requested by Covered Entity, Business Associate will provide reasonable assistance to Covered Entity in responding to a Request and Covered Entity shall pay or reimburse Business Associate for the time spent by Business Associate assisting with a response to a Request at Business Associate’s then-standard or other reasonable professional services rate and any related costs reasonably incurred by Business Associate.
2.7 Business Associate agrees to make its internal practices, books, and records, including policies and procedures regarding PHI, relating to the use and disclosure of PHI and Breach of any Unsecured PHI received from Covered Entity, or created or received by the Business Associate on behalf of Covered Entity, available to Covered Entity (or the Secretary) for the purpose of Covered Entity or the Secretary determining compliance with the Privacy Rule. Covered Entity shall pay or reimburse Business Associate for the time spent by Business Associate for its assistance under this subjection at Business Associate’s then-standard or other reasonable professional services rate and any related costs reasonably incurred by Business Associate.
3. PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE.
3.1 Business Associate agrees to receive, create, use, or disclose PHI only in a manner that is consistent with this BAA, the Privacy Rule, or Security Rule (as defined in 5); provided that the use or disclosure would not violate the Privacy Rule, including 45 C.F.R. § 164.504(e), if the use or disclosure would be done by Covered Entity. For example, the use and disclosure of PHI will be permitted for “treatment, payment, and health care operations,” in accordance with the Privacy Rule.
3.2 Business Associate may use or disclose PHI in connection with the functions, activities, and services that Business Associate performs for Covered Entity, including marketing on behalf of the Covered Entity.
3.3 Business Associate may use or disclose PHI for its proper management and administration or to carry out its legal responsibilities as permitted under applicable law.
3.4 Business Associate may use or disclose PHI as Required By Law.
3.5 Business Associate may use or disclose PHI to deidentify PHI consistent with 45 C.F.R. § 164.514(a)-(c). Deidentified PHI is not PHI. Business Associate shall own any deidentified PHI created by Business Associate through deidentification, and Business Associate shall have the sole right to sell, license, sublicense, or otherwise use or dispose of such deidentified PHI.
3.6 Business Associate may use or disclose PHI to market products and services to individuals. If Business Associate or Covered Entity receive renumeration from third parties to provide any communications to individuals, either Business Associate or Covered Entity must obtain a valid authorization from each individual who receives such communications.
3.7 Business Associate may sell PHI to third parties or otherwise directly or indirectly receive renumeration from third parties in exchange for PHI, and such PHI may be further exchanged for renumeration by the entity receiving the PHI, provided that Covered Entity or Business Associate obtains a valid authorization from the individual, in compliance with the “Prohibition on Sale of Electronic Health Records or Protected Health Information,” as provided in Section 13405(d) of Subtitle D (Privacy) of ARRA, and the “Conditions on Certain Contacts as Part of Health Care Operations,” as provided in Section 13406 of Subtitle D (Privacy) of ARRA and related guidance issued by the Secretary from time to time.
3.8 Business Associate agrees to use, disclose, and request PHI to the minimum extent necessary to accomplish the intended purpose of such use, disclosure, or request.
4. OBLIGATIONS OF COVERED ENTITY.
4.1 Covered Entity shall:
a. Provide Business Associate with the Notice of Privacy Practices that Covered Entity produces in accordance with the Privacy Rule, and any changes or limitations to such notice under 45 C.F.R. § 164.520, to the extent that such changes or limitations may affect Business Associate’s use or disclosure of PHI. Covered Entity’s Notice of Privacy Practices must include a disclosure that most uses and disclosures of PHI for marketing purposes and the sale of PHI require an individual’s authorization.
b. Notify Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to or is required to comply with under 45 C.F.R. § 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI under this BAA.
c. Request an authorization from each individual authorizing Covered Entity and Business Associate to sell PHI to third parties or otherwise directly or indirectly receive renumeration from third parties in exchange for PHI, including that PHI may be further exchanged for renumeration by the entity receiving the PHI of the individual.
d. Request an authorization from each individual authorizing Covered Entity and Business Associate to use and disclose PHI to third parties for marketing purposes, including to send communications for which either Covered Entity or Business Associate receives renumeration from third parties.
e. Notify Business Associate of any changes in or revocation of permission by an individual to use or disclose PHI, if such change or revocation may affect Business Associate’s permitted or required uses and disclosures of PHI under this BAA. Uses and disclosures of PHI prior to revocation cannot be taken back.
4.2 Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy and Security Rule if done by Covered Entity.
5. COMPLIANCE WITH SECURITY RULE.
5.1 Business Associate shall comply with the HIPAA Security Rule, which shall mean the Standards for Security of Electronic Protected Health Information at 45 C.F.R. Part 160 and Subparts A and C of Part 164, as amended by ARRA and the HITECH Act (the “Security Rule”). The term “Electronic Health Record” or “EHR” as used in this BAA shall mean an electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff.
5.2 In accordance with the Security Rule, Business Associate agrees to:
a. Implement the administrative safeguards set forth at 45 C.F.R. § 164.308, the physical safeguards set forth at 45 C.F.R. § 164.310, the technical safeguards set forth at 45 C.F.R. § 164.312, and the policies and procedures set forth at 45 C.F.R. § 164.316, to reasonably and appropriately protect the confidentiality, integrity, and availability of the ePHI that it creates, receives, maintains, or transmits on behalf of Covered Entity as required by the Security Rule.
b. Require that any agent, including a Subcontractor, to whom it provides such PHI agrees to implement reasonable and appropriate safeguards to protect the PHI; and
c. Report to the Covered Entity any Security Incident of which it becomes aware.
6. INDEMNIFICATION.
6.1 The parties agree and acknowledge that except as set forth herein, the indemnification obligations contained under the Underlying Agreement shall govern each party’s performance under this BAA.
7. TERM AND TERMINATION.
7.1 This BAA shall be in effect as of the Effective Date and shall terminate on the earlier of the date that:
a. The Underlying Agreement expires or is terminated;
b. Either party terminates for cause as authorized under 7.2; or
c. All of the PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity. If it is not feasible to return or destroy PHI, protections are extended in accordance with 7.3.
7.2 Upon either party’s knowledge of material breach by the other party, the non-breaching party shall provide an opportunity for the breaching party to cure the breach or end the violation. If the breaching party does not cure the breach or end the violation within a reasonable timeframe not to exceed 30 days from the notification of the breach, or if a material term of the BAA has been breached and a cure is not possible, the non-breaching party may terminate this BAA and the Underlying Agreement, upon written notice to the other party.
7.3 Upon termination of this BAA for any reason, Business Associate, with respect to PHI received from Covered Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity, shall:
a. Retain only that PHI that is necessary for Business Associate to continue its management and administration or to carry out its legal responsibilities.
b. Destroy the remaining (non-retained) PHI that the Business Associate still maintains.
c. With respect to retained PHI, continue to use appropriate safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to ePHI to prevent use or disclosure of the PHI, other than as provided for in this Section 7, for as long as Business Associate retains the PHI.
d. With respect to retained PHI, not use or disclose the PHI retained by Business Associate other than for the purposes for which such PHI was retained and subject to the same conditions set forth in this BAA.
e. With respect to retained PHI, return to Covered Entity or, if agreed to by Covered Entity, destroy the PHI retained by Business Associate when it is no longer needed by Business Associate for its proper management and administration or to carry out its legal responsibilities.
7.4 The obligations of Business Associate under this Section 7 shall survive the termination of this BAA.
8. MISCELLANEOUS.
8.1 The parties agree to take such action as is necessary to amend this BAA to comply with the requirements of the Privacy Rule, the Security Rule, HIPAA, ARRA, the HITECH Act, the Consolidated Appropriations Act, 2021 (CAA-21), the HIPAA Rules, and any other applicable law.
8.2 The respective rights and obligations of Covered Entity and Business Associate under 6 and 7 of this BAA shall survive the termination of this BAA.
8.3 This BAA constitutes the entire agreement between the parties related to the subject matter of this BAA, except to the extent that the Underlying Agreement imposes more stringent requirements related to the use and protection of PHI upon Business Associate. This BAA supersedes all prior negotiations, discussions, representations, or proposals, whether oral or written. This BAA may not be modified unless done so in writing and signed by a duly authorized representative of both parties. If any provision of this BAA, or part thereof, is found to be invalid, the remaining provisions shall remain in effect.
8.4 This BAA will be binding on the successors and assigns of the Covered Entity and the Business Associate. However, this BAA may not be assigned, in whole or in part, without the written consent of the other party, except as part of an assignment of the Underlying Agreement, as permitted by the terms of the Underlying Agreement. Any attempted assignment in violation of this provision shall be null and void.
8.5 This BAA may be executed in two or more counterparts, each of which shall be deemed an original.
8.6 Except to the extent preempted by federal law, this BAA shall be governed by and construed in accordance with the same laws as that of the Underlying Agreement.