Version Date: December 3, 2021
This Business Associate Agreement (“Agreement”) is hereby entered into on the date indicated on the Sales Order (“Effective Date”) by and between Revival Health, LLC (“Business Associate”) and the entity indicated in the Sales Order (“Covered Entity”).
1. Statement of Purpose. Business Associate has been engaged to, or may, provide certain Services to Covered Entity as set forth in an agreement or agreements between the parties (“Service Agreement”). The parties acknowledge that Business Associate may be exposed to or become aware of Protected Health Information (also referred to herein as “PHI”) in the performance of the Services. The parties wish to enter into this Agreement to provide Covered Entity with the written assurances required by the Privacy Rule and the Security Rule established pursuant to the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act (“HITECH Act” and collectively the foregoing laws and regulations shall be “HIPAA”) and to otherwise address the use and disclosure of PHI under the Service Agreement. In the event that Covered Entity is acting as a “business associate” under 45 C.F.R. 160.103 for a “covered entity” under 45 C.F.R. 160.103 and Business Associate is acting as a “subcontractor” under 45 C.F.R. 160.103, this Agreement shall be construed as appropriate for a business associate – subcontractor agreement to meet the requirements for a business associate agreement under HIPAA.
Terms used, but not otherwise defined in this Agreement, shall have the same meaning as those terms in the Privacy Rule and the Security Rule, where not inappropriate by context.
(a) “Business Associate” shall have the meaning set forth in 45 C.F.R. Section 160.103, and with reference to the party of this Agreement, shall mean the Business Associate identified above.
(b) “Covered Entity” shall have the meaning set forth in 45 C.F.R. Section 160.103, and with reference to the party of this Agreement, shall mean the customer of Business Associate identified above.
(c) “Designated Record Set” shall have the meaning set forth in 45 C.F.R. Section 164.501.
(d) “Disclose” and “Disclosure” mean, with respect to Protected Health Information, the release, transfer, provision of access to, or divulging in any other manner of Protected Health Information outside the organization’s internal operations or to individuals other than its workforce.
(e) “Electronic Protected Health Information” or “EPHI” shall have the same meaning as the term "Electronic Protected Health Information" in 45 C.F.R. § 160.103, and, in this Agreement, shall mean more than Incidental information received by Business Associate or made accessible to Business Associate by Covered Entity in the course of Business Associate’s providing Services under the Service Agreement.
(f) “Incidental” shall refer to those uses and disclosures covered in 45 C.F.R. 164.502 (a) (1) (iii) which do not rise to the level where a business associate agreement is required and that occur as a by-product of another permissible or required use under HIPAA and that cannot be reasonably prevented and are limited in nature.
(g) "Individual" shall have the same meaning as the term "individual" in 45 CFR § 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 CFR § 164.502(g).
(h) “Privacy Rule” shall mean the standards, requirements and specifications promulgated by the Secretary of Health and Human Services at 45 C.F.R. Section 160 subparts A and E promulgated under HIPAA.
(i) “Protected Health Information” or “PHI” shall have the same meaning as the term “Protected Health Information” in 45 C.F.R. § 160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity and, in this Agreement, shall mean more than Incidental information received by Business Associate or made accessible to Business Associate by Covered Entity in the course of Business Associate’s providing Services under the Service Agreement.
(j) “Security Rule” shall mean the standards, requirements and specifications promulgated by the Secretary of Health and Human Services at 45 C.F.R. Section 164 subpart C promulgated under HIPAA.
(k) “Services” shall mean the services provided pursuant to the Service Agreement.
(l) “Use” or “Uses” shall have the meaning set forth in 45 C.F.R. Section 160.103.
3. Obligations of Business Associate. Business Associate agrees:
(a) not to use or further disclose PHI created or received by Business Associate from, or on behalf of, Covered Entity other than as required to carry out the Services to Covered Entity and as expressly permitted or required by this Agreement or applicable laws. Such use, disclosure or request of PHI shall be consistent with HIPAA utilize a limited data set if practicable or otherwise the minimum necessary PHI to accomplish the intended result of the use, disclosure or request;
(b) to use reasonable and appropriate safeguards designed to prevent the use or disclosure of Protected Health Information in any manner other than as permitted by this Agreement;
(c) to report to Covered Entity without unreasonable delay, and in no event more than ten (10) business days after discovery by Business Associate, any Security Incident, Breach of Unsecured Protected Health Information, or any use or disclosure of PHI not permitted by this Agreement of which it becomes aware. In addition, Business Associate will report, following discovery and without unreasonable delay, any “Breach” of “Unsecured Protected Health Information” as defined by the HITECH Act and any implementing regulations. Any such report shall include the identification (if known) of each individual whose Unsecured Protected Health Information has been or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed during such Breach. Business Associate shall mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this Agreement. This section shall constitute notice, and no further notice shall be required, of pings, broadcast attacks on firewalls, port scans, unsuccessful log-on attempts, denial of service attacks, and similar events that do not result in unauthorized access or use of PHI, which Covered Entity hereby acknowledges occur regularly and no further notice of is necessary;
(d) ensure that any agents and subcontractors of Business Associate to whom Business Associate provides PHI received from, or created or received by Business Associate on behalf of Covered Entity agree to substantially the same restrictions and conditions that apply to Business Associate with respect to such information;
(e) to the extent (if any) that Business Associate maintains a Designated Record Set for Covered Entity, and is notified of such by Covered Entity, to make available PHI maintained by Business Associate in a Designated Record Set to Covered Entity as required for Covered Entity to comply with its obligation to give an individual the right of access to inspect and obtain a copy of their PHI as set forth in 45 C.F.R. 164.524. Consistent with 45 C.F.R. 164.524, Business Associate’s obligation will be limited to the extent such PHI is in the sole possession of Business Associate and is not duplicative of PHI held by Covered Entity. The provision of the access to the individual’s PHI and any denials of access to the PHI shall be the responsibility of Covered Entity;
(f) to the extent (if any) that Business Associate maintains a Designated Record Set for Covered Entity, and is notified of such by Covered Entity, to make available PHI maintained by Business Associate in a Designated Record Set to Covered Entity as required for Covered Entity to comply with its obligation to amend PHI as set forth in 45 C.F.R. 164.526. The amendment of an individual’s PHI and all decisions related thereto shall be the responsibility of Covered Entity;
(g) to make available to Covered Entity information regarding disclosures by Business Associate to third parties for which an accounting is required under 45 C.F.R. Section 164.528 so Covered Entity can meet its requirements to provide an accounting of disclosures to individuals in accordance with 45 C.F.R. 164.528;
(h) to make its internal practices, books and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of Covered Entity, available to the Secretary of Health and Human Services for purposes of determining Covered Entity’s compliance with the Privacy and Security Rules;
(i) at termination of this Agreement, if feasible, return or destroy all PHI received from, or created or received by Business Associate on behalf of Covered Entity, that Business Associate still maintains in any form and to retain no copies of such information, or, if such return or destruction is not feasible in the sole discretion of Business Associate, extend the protections of this Agreement to such PHI and limit further uses and disclosures to those purposes that make the return or destruction of the PHI infeasible.
(j) with respect to Electronic Protected Health Information, Business Associate will (i) implement administrative, physical, and technical safeguards that are designed to reasonably and appropriately protect the confidentiality, integrity, and availability of the Electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of Company, as required by the Security Rule; (ii) ensure that any agent or subcontractor to whom it provides Electronic Protected Health Information agrees to implement reasonable and appropriate safeguards to protect it; and (iii) report to Covered Entity pursuant to Section 3(c) any Security Incident of which it becomes aware.
4. Permitted Uses and Disclosures by Business Associate
(a) Except as otherwise limited by this Agreement, Business Associate may make any uses or disclosures of PHI reasonably necessary to perform its Services to Covered Entity and otherwise in accordance with this Agreement and the Service Agreement.
(b) Business Associate may use PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate.
(c) Business Associate may disclose PHI for its proper management and administration or to carry out its legal responsibilities, if the disclosure is Required By Law or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
(d) Except as otherwise limited in this Agreement, Business Associate may use PHI to provide Data Aggregation services as permitted by 45 C.F.R. Section 164.504(e)(2)(i)(B) in accordance with the Services.
(e) Except as otherwise limited in this Agreement, Business Associate may deidentify PHI in accordance with 45 CFR 164.514(a)-(c).
5. Covered Entity Obligations.
(a) Covered Entity shall use and disclose PHI only in accordance with the Privacy Rule, the Security Rule, and any other applicable law concerning PHI. Covered Entity shall follow all data security instructions communicated by Business Associate in connection with the Services.
(b) Covered Entity shall be solely responsible for establishing the applicable HIPAA Security Rule safeguards and associated policies for protecting PHI in its facilities or on its systems. Covered Entity shall communicate the relevant safeguards and policies to Business Associate if Business Associate provides Services at a Covered Entity facility or on its systems.
(c) Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under applicable laws concerning PHI. Covered Entity shall notify Business Associate of any limitation(s), restriction or changes on the use or disclosure of PHI of which it becomes aware that may affect Business Associate’s use or disclosure of PHI.
(a) Term and Termination. The term of this Agreement shall be the same as the term of the Service Agreement. Upon Covered Entity’s knowledge of a material breach of this Agreement by Business Associate, Covered Entity shall notify Business Associate of the breach in writing, and shall provide an opportunity for Business Associate to cure the breach or end the violation of thirty (30) business days after such notification; provided that if Business Associate fails to cure the breach or end the violation within such time period, Covered Entity shall have the right to terminate this Agreement upon written notice to Business Associate. In the event that termination of this Agreement is not feasible as mutually agreed to by Business Associate and Covered Entity, Business Associate hereby acknowledges that Covered Entity shall have the right to report the breach to the Secretary of Health and Human Services. This Agreement shall terminate immediately in the event that a HIPAA business associate agreement is no longer required under applicable laws.
(b) No Third Party Beneficiaries. No provision of this Agreement is intended to benefit any person or entity not a party to this Agreement, nor shall any person or entity not a party to this Agreement have any right to seek to enforce or recover any right or remedy with respect hereto.
(c) Modification of Agreement. No alteration, amendment, or modification of the terms of this Agreement shall be valid or effective unless in writing and signed by Business Associate and Covered Entity.
(d) Non-Waiver. A failure of any party to enforce at any time any term, provision or condition of this Agreement, or to exercise any right or option herein, shall in no way operate as a waiver thereof, nor shall any single or partial exercise preclude any other right or option herein. In no way whatsoever shall a waiver of any term, provision or condition of this Agreement be valid unless in writing, signed by the waiving party, and only to the extent set forth in such writing.
(e) Severability. If any provision of this Agreement is found to be invalid or unenforceable by any court, such provision shall be ineffective only to the extent that it is in contravention of applicable laws without invalidating the remaining provisions hereof.
(f) Relationship to Services Agreement Provisions. In the event that a provision of this Agreement is contrary to a provision of the Service Agreement, the provision of this Agreement shall control. Otherwise, this Agreement shall be construed under, and in accordance with, the terms of the Service Agreement.
(g) Notices. Any notices required or permitted to be given hereunder by either party to the other shall be given in writing: (1) by personal delivery; (2) by electronic facsimile with confirmation sent by United States first class registered or certified mail, postage prepaid, return receipt requested; (3) by bonded courier or by a nationally recognized overnight delivery service; or (4) by United States first class registered or certified mail, postage prepaid, return receipt requested, in each case, addressed to:
If to Business Associate:
Revival Health, LLC
12353 Highway 71 West
Austin, TX 78738
If to Covered Entity:
The address indicated in the Order executed by Covered Entity.
or to such other addresses as the parties may request in writing by notice given pursuant to this Agreement. Notices shall be deemed received on the earliest of personal delivery; upon delivery by electronic facsimile with confirmation from the transmitting machine that the transmission was completed; twenty-four (24) hours following deposit with a bonded courier or overnight delivery service; or seventy-two (72) hours following deposit in the U.S. Mail as required herein.