New: How Southside BH uses Brellium to protect revenue View Case Study

Business Associate Agreement

HIPAA BAA · Available by default to all Brellium customers

By using Brellium in production or trial, you (Company) are covered under this Business Associate Agreement with Brellium (Business Associate). There is no separate contract to sign to enter into a HIPAA Business Associate Agreement (BAA) with Brellium because this is available by default to all customers in the Brellium Terms of Service or Master Services Agreement.

This Agreement sets out the responsibilities and obligations of Business Associate under the Health Insurance Portability and Accountability Act (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”).

Recitals

Business Associate and Company have entered into a certain Master Agreement (“Master Agreement”) under which Business Associate has agreed to provide Company with certain services (“Services”).

In performing the Services, Business Associate will create, receive, transmit, or maintain Protected Health Information (as defined at 45 C.F.R. § 160.103) for or on behalf of Company.

Business Associate and Company have mutual obligations under the Master Agreement that will require Business Associate and Company to use or disclose Company’s customer(s) PHI of Individuals as that term is defined under HIPAA.

This Agreement is intended to comply with the rules on handling of PHI under the HIPAA Standards for Privacy of Individually Identifiable Health Information, 45 C.F.R. Part 160 and Part 164, Subpart E (“Privacy Rule”), the HIPAA Security Standards, 45 C.F.R. Part 160 and Part 164, Subpart C (“Security Rule”), and the HIPAA Breach Notification Regulations, 45 C.F.R. Part 164, Subpart D (“Breach Notification Rule”).

Section 1 — Definitions

The following terms used in this Agreement shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Minimum Necessary, Notice of Privacy Practices, Required by Law, Secretary, Subcontractor, Unsecured Protected Health Information, and Use.

  • Electronic Health Record. “Electronic Health Record” shall have the same meaning as the term “electronic health record” in the HITECH Act, section 13400(5).
  • Electronic Protected Health Information. “Electronic Protected Health Information” (sometimes “ePHI”) shall have the same meaning as the term “electronic protected health information” in 45 C.F.R. 160.103, limited to the information received from Company, or created, maintained or transmitted by Business Associate on behalf of Company.
  • Individual. “Individual” shall have the same meaning as the term “individual” in 45 C.F.R. 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. 164.502(g).
  • Protected Health Information. “Protected Health Information” (“PHI”) shall have the same meaning as the term “protected health information” in 45 C.F.R. 160.103, limited to the information received from Company, or created, maintained, or transmitted by Business Associate on behalf of Company.
  • HIPAA Rules. “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.
  • Security Incident. “Security Incident” shall mean the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.

Section 2 — Obligations and Activities of Business Associate

  • Permitted Uses and Disclosures. Business Associate agrees to use or disclose Protected Health Information only as permitted or required by this Agreement or as Required by Law.
  • Safeguards. Business Associate agrees to implement the administrative safeguards set forth at 45 C.F.R 164.308, the physical safeguards set forth at 45 C.F.R 164.310, the technical safeguards set forth at 45 C.F.R. 164.312, and the policies and procedures set forth at 45 C.F.R. 164.316 to reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI that it creates, receives, maintains, or transmits on behalf of Company.
  • Mitigation. Business Associate agrees to mitigate any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this Agreement.
  • Agents and Subcontractors. Business Associate agrees, in accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), to require any subcontractors that create, receive, maintain, or transmit Protected Health Information on behalf of the Business Associate to agree in writing to the same restrictions, conditions, and requirements.
  • Access to Individuals. Business Associate agrees to make available Protected Health Information in a Designated Record Set to either Company or, at the direction of Company, the Individual or the Individual’s designee, as necessary to satisfy Company’s obligations under 45 CFR 164.524.
  • Amendments to PHI. Business Associate agrees to make any amendment(s) to Protected Health Information in a Designated Record Set as directed or agreed to by Company pursuant to 45 CFR 164.526.
  • Access by Company. Business Associate agrees to make internal practices, books and records including policies and procedures and Protected Health Information available to the Secretary for purposes of determining Company’s compliance with HIPAA.
  • Disclosure Documentation. Business Associate agrees to document disclosures of Protected Health Information and provide information to Company to permit responses to Individual requests for an accounting of disclosures in accordance with 45 CFR Section 164.528.
  • Minimum Necessary. Business Associate agrees to limit its request, use, and disclosure of PHI to the minimum necessary to fulfill its commitments and perform Services on behalf of Company.

Section 3 — Permitted Uses by Business Associate

Performance of Services. Except as otherwise limited in this Agreement, Business Associate may use or disclose Protected Health Information to perform the Services, provided that such use or disclosure would be permitted if done by Company.

Other Permitted Usage. Business Associate may use Protected Health Information for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate. Business Associate may also use Protected Health Information to provide Data Aggregation services as permitted by 45 CFR Section 164.504(e)(2)(i)(B).

Section 4 — Obligations of Company

  • Change in Privacy Practices. Company shall notify Business Associate of any limitation(s) in its notice of privacy practices that may affect Business Associate’s use or disclosure of Protected Health Information.
  • Change in Right to Use PHI. Company shall notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose Protected Health Information.
  • Change in Restrictions. Company shall notify Business Associate of any restriction to the use or disclosure of Protected Health Information that Company has agreed to in accordance with 45 CFR Section 164.522.
  • Requests. Company shall not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible if done by Company.

Section 5 — Duties Upon Impermissible Use or Disclosure

Reporting. Business Associate agrees to report to Company any use or disclosure of Protected Health Information not provided for by the Agreement, including Breaches of Unsecured Protected Health Information as required at 45 CFR 164.410, and any Security Incident. Such reports shall be made without unreasonable delay and in all events within ten (10) days of discovery.

Content of Notification. All notices shall include identification of each Individual whose PHI has been or is reasonably believed to have been accessed, acquired, or disclosed; a description of what happened including dates; the types of identifiers involved; recommended steps Individuals should take; and a description of what Business Associate is doing to investigate and mitigate.

Mitigation. Business Associate agrees to mitigate, at its expense, any harmful effect known to Business Associate as a result of an Incident. Costs incurred by Company due to an Incident are to be reimbursed by the Business Associate.

Section 6 — Term and Termination

Term. This Agreement will begin on the Effective Date and shall continue until the earlier of the termination of the Master Agreement, termination of this Agreement, or mutual written agreement of the parties.

Termination for Cause. Upon either party’s knowledge of a breach of this Agreement by the other, the party shall provide not less than thirty (30) days written notice of its intent to terminate, provided the other party does not cure such breach within the notice period.

Effect of Termination. Upon termination, Business Associate shall return or, with Company’s express permission, destroy all Protected Health Information received from or created on behalf of Company. Business Associate shall retain no copies except as required by law.

Section 7 — Right to Audit

Company shall have the right to audit Business Associate at any time upon providing ten (10) days written notice. The scope of the audit will be to confirm Business Associate is in compliance with all information safeguards, access controls, and other items necessary for protecting and controlling PHI. If the audit reveals material non-compliance, Business Associate will have thirty (30) days to mitigate. If mitigations are not in place within thirty (30) days, Company has the right to terminate this Agreement and any other contracts without additional cost or penalties.

Section 8 — Miscellaneous

Interpretation. This Agreement is subject to the terms and conditions of the Master Agreement. To the extent this Agreement is inconsistent with the Master Agreement as it relates to HIPAA, and such terms are more stringent, this Agreement shall govern.

No Third-Party Beneficiaries. This Agreement is entered into by and among the parties solely for their benefit. No third-party beneficiary status or rights have been created.

Entire Agreement. This Agreement supersedes any prior agreements pertaining to HIPAA obligations between the parties and may be amended only by a writing executed by authorized representatives of both parties.

Section 9 — Indemnification and Limitation of Liability

Business Associate will indemnify Company, its affiliates, officers, directors, employees, or agents from and against any claim, cause of action, liability, damage, cost, or expense, including attorney’s fees, caused by Business Associate’s breach of this Agreement or an Incident.

Company will indemnify Business Associate, its affiliates, officers, directors, employees, or agents from and against any third-party claim directly caused by Company’s breach of this Agreement.

Business Associate’s obligations, including its indemnification obligations, shall not be subject to any limitations or exclusions on damages, notwithstanding any provision in the Master Agreement to the contrary.

Contact Information

For questions about this BAA, contact us at: legal@brellium.com