Business Associate Agreement
This Business Associate Agreement (this “BAA”) supplements the terms and conditions of the agreement, entered into between you (“Covered Entity”) and Calyx Health, Inc. d/b/a Mabel (“Business Associate”). Covered Entity and Business Associate are sometimes hereinafter referred to collectively as the “Parties” and individually as a “Party.”
1. Definitions.
The Parties agree that the following terms, when used in this BAA, shall have the following meanings, provided that the terms set forth below shall be deemed to be modified to reflect any changes made to such terms from time to time as defined in the Privacy Rule, the Security Rule and the HITECH Standards. Any terms capitalized, but not otherwise defined, in this BAA shall have the same meaning as those terms have under HIPAA, the Privacy Rule, the Security Rule and the HITECH Standards.
a. “"Breach” has the same meaning as provided in 45 C.F.R. § 164.402.
b. “Electronic Protected Health Information” or “Electronic PHI” means Protected Health Information that is transmitted by or maintained in electronic media as defined in the Security Rule.
c. “HIPAA” means the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191.
d. “HITECH Standards” means the privacy, security and security breach notification provisions applicable to a Business Associate under Subtitle D of the Health Information Technology for Economic and Clinical Health Act (“HITECH”), which is Title XIII of the American Recovery and Reinvestment Act of 2009 (Public Law 111-5), and any regulations promulgated thereunder.
e. “HHS” means the U.S. Department of Health and Human Services.
f. “Individually Identifiable Health Information” means information that is a subset of health information, including demographic information collected from an individual, and:
(i) is created or received by a health care provider, health plan, employer or health care clearinghouse; and
(ii) relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual; and:
(A) that identifies the individual; or
(B) with respect to which there is a reasonable basis to believe the information can be used to identify the individual.
g. “Privacy Rule” means the regulations promulgated under HIPAA by HHS to protect the privacy of Protected Health Information, including, but not limited to, 45 C.F.R. Part 160 and 45 C.F.R. Part 164, Subpart A and Subpart E.
h. “Protected Health Information” or “PHI” means Individually Identifiable Health Information transmitted or maintained in any form or medium that (i) is received by Business Associate from Covered Entity, (ii) Business Associate creates for its own purposes from Individually Identifiable Health Information that Business Associate received from Covered Entity, or (iii) is created, received, transmitted or maintained by Business Associate on behalf of Covered Entity. Protected Health Information excludes Individually Identifiable Health Information in education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. § 1232g, records described at 20 U.S.C. § 1232g(a)(4)(B)(iv) and employment records held by the Covered Entity in its role as an employer.
i. “Security Rule” means the regulations promulgated under HIPAA by HHS to protect the security of Electronic Protected Health Information, including, but not limited to, 45 C.F.R. Part 160 and 45 C.F.R. Part 164, Subparts A and C.
j. “Security Incident” shall mean any Security Incident (as defined in 45 CFR 164.304) but shall not include incidental incidents that occur on a daily basis such as scans, “pings,” or routine unsuccessful attempts to penetrate computer networks or servers maintained or utilized by Business Associate.
k. “Unsecured Protected Health Information” shall mean protected health information that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals though the use of a technology or methodology specified by the Secretary of HHS in guidance, such as encryption with a valid process or physical destruction of documents.
2. Status of Parties.
The Parties hereby acknowledge and agree that Covered Entity is a “Covered Entity” and that Business Associate is a “Business Associate” of Covered Entity, as such terms are defined in HIPAA and the Privacy and Security Rule.
3. Permitted Uses and Disclosures.
a. Performance of Services. Except as otherwise limited in this BAA or by applicable law, Business Associate may access, use and/or disclose Covered Entity’s PHI and/or ePHI in connection with the evaluation of its obligations under the Service BAA if such use or disclosure of PHI would not violate HIPAA, the Privacy Rule or the HITECH Standards if done by Covered Entity, or such use or disclosure is expressly permitted under Section 3 of this BAA.
b. Minimum Necessary. With respect to the use, access, or disclosure of PHI by Business Associate as permitted under this BAA, Business Associate shall limit such use access, or disclosure, to the extent practicable, to the minimum necessary to accomplish the intended purpose of such use, access, or disclosure. Business Associate shall determine what constitutes the minimum necessary to accomplish the intended purpose in accord with HIPAA, HIPAA Regulations and any applicable guidance issued by the Secretary of HHS.
c. Documentation of Disclosures. With respect to any permitted disclosures of PHI by Business Associate, Business Associate shall document such disclosures including, but not limited to, the date of the disclosure, the name and, if known, the address of the recipient of the disclosure, a brief description of the PHI disclosed, and the purpose of the disclosure.
d. Modification of PHI. Except as permitted under Section 5(b) below, Business Associate shall not modify any existing data to which it is granted access other than to correct errors, or derive new data from such existing data. Business Associate shall record any modification of data and retain such record for a period of seven (7) years.
e. Other Permitted Uses and Disclosures of PHI. Except as otherwise limited in this BAA or by applicable law, Business Associate may, if necessary and only to the extent necessary, use PHI (i) for the proper management and administration of Business Associate's business, (ii) to provide data aggregation and/or de-identification services relating to the health care operations of Covered Entity, or (iii) to carry out Business Associate's legal responsibilities, subject to the limitation in Section 3(f), below. Business Associate shall obtain reasonable assurances from the person to whom the PHI is being disclosed that, as required under this BAA, the PHI will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed. Business Associate shall require that any Breaches or Security Incidents be immediately reported to Business Associate. Business Associate shall then report the Breach or Security Incident to Covered Entity in accordance with Section 4(b) hereof.
f. Nondisclosure of PHI. Business Associate is not authorized and shall not use or further disclose Covered Entity's PHI other than as permitted or required under this BAA, or as required by law or regulation.
(i) Disclosures Required By Law. Business Associate shall not, without the prior written consent of Covered Entity, disclose any PHI on the basis that such disclosure is Required by Law without notifying Covered Entity so that Covered Entity shall have an opportunity to object to the disclosure and to seek appropriate relief. Business Associate shall notify Covered Entity at least five (5) days prior to making a disclosure of PHI pursuant to this subsection.
(ii) Legal Process. In the event Business Associate is served with legal process or request from a governmental agency that may potentially require the disclosure of PHI, Business Associate shall promptly, and in any case within five (5) business days of its receipt of such legal process or request, notify Covered Entity. Business Associate shall not disclose the PHI without Covered Entity’s consent unless pursuant to a valid and specific court order or to comply with a requirement for review of documents by a governmental regulatory agency under its statutory or regulatory authority to regulate the activities of either party.
g. State Law Requirements. Business Associate shall comply with applicable state law confidentiality, privacy, security, document retention and breach notification requirements. To the extent that state law is more stringent than the HIPAA Regulations, any safeguard, use or disclosure of PHI or ePHI by Business Associate or its agents or subcontractors shall be made in accordance with state law.
h. Subcontractors. Business Associate shall ensure that each subcontractor of Business Associate that creates, receives, transmits, or stores any PHI agrees to be bound in a written agreement by the same restrictions and conditions that apply to Business Associate pursuant to this BAA, with respect to such PHI (or to restrictions that may be even more restrictive in favor of Business Associate), and that acknowledges that the subcontractor is directly subject to the HIPAA Privacy and Security Rules to the same extent as Business Associate.
i. Notification of Investigation or Lawsuit. Business Associate shall notify Covered Entity immediately upon receipt of notice of an investigation or of a lawsuit filed against Business Associate related to or arising from the use or disclosure of PHI by Business Associate pursuant to the Principal BAA or this BAA.
j. Additional Restrictions. Covered Entity shall provide Business Associate with written notice of any restriction, changes in, or revocation of, permission by individuals to use or disclose PHI, to the extent that such changes affect Business Associate’s use or disclosure of PHI under this BAA. If Covered Entity notifies Business Associate that Covered Entity has agreed to be bound by additional restrictions on the uses or disclosures of PHI pursuant to HIPAA, the Privacy Rule or the HITECH Standards, Business Associate shall be bound by such additional restrictions and shall not disclose PHI in violation of such additional restrictions. Such notice shall be provided no less than five (5) days prior to the implementation of such restrictions.
4. Safeguards, Reporting, Mitigation and Enforcement.
a. Safeguards. Business Associate shall use appropriate administrative, physical, and technical safeguards, including, among others, policies and procedures regarding the protection of PHI and/or ePHI and the provision of training on such policies and procedures to applicable employees and agents and subcontractors that reasonably and appropriately protect the confidentiality, integrity, and availability of the PHI and/or ePHI that Business Associate accesses, uses, discloses, creates maintains or transmits on behalf of Covered Entity, and to prevent uses or disclosures of PHI not permitted by this BAA. Business Associate further agrees to use appropriate administrative, physical and technical safeguards to protect the confidentiality, integrity and availability of any Electronic PHI in accordance with the Security Rule and the HITECH Standards.
b. Notification. Business Associate shall notify Covered Entity in writing as soon as possible, but in no event more than ten (10) calendar days, after Business Associate becomes aware of any Breach of or Security Incident involving Covered Entity’s PHI. Business Associate shall be deemed to be aware of any Breach or Security Incident as of the first day on which such Breach or Security Incident is known or reasonably should have been known to its officers, employees, agents or subcontractors. Business Associate shall identify as soon as practicable each individual whose unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed during such Breach or Security Incident. Business Associate shall cooperate in good faith with Covered Entity in the investigation of any Breach or Security Incident.
c. Prompt Corrective Actions. In addition to the notification requirements in Section 4(b) above, Business Associate shall take (i) prompt corrective action to remedy any Breach or Security Incident, (ii) mitigate, to the extent practicable, any harmful effect of a use or disclosure of PHI by Business Associate in violation of this BAA, and (iii) take any other action required by applicable federal and state laws and regulations pertaining to such Breach or Security Incident. In order to document compliance with this provision, Business Associate will provide written notice to Covered Entity as soon as possible but no later than thirty (30) calendar days of following the initial report, that shall, at a minimum:
(i) Identify (if known) each individual whose PHI has been, or is reasonably believed by Business Associate to have been accessed, acquired, or disclosed during such Breach;
(ii) Identify the nature of the non-permitted access, use or disclosure, including the date of the Breach and the date of discovery of the Breach;
(iii) Identify PHI accessed, used, or disclosed as part of the Breach (e.g., full name, social security number, date of birth, etc.);
(iv) Identify who made the non-permitted access, use or disclosure and who received the non-permitted disclosure;
(v) Identify what corrective action Business Associate took or will take to prevent further non-permitted uses or disclosures;
(vi) Identify what Business Associate has done or will do to mitigate any deleterious effect of the non-permitted access, use or disclosure and the corrective action Business Associate has taken or shall take to prevent future similar Breaches or Security Incidents;
(vii) Indicate if a law enforcement official has stated that notification would impede a criminal investigation or cause damage to national security, and if so, whether such statement was made orally or in writing and the length of time for any delay in notification warranted by such statement; and
(viii) Provide such other information, including a written report, as Covered Entity may reasonably request.
d. Duty to Cooperate. In the event of any Breach or Security Incident, Business Associate shall cooperate with Covered Entity and shall provide such assistance as Covered Entity may reasonably request so that Covered Entity or its Client may comply with any obligations either of them has to investigate, remediate, mitigate, report, and or otherwise notify third parties of such Breach. This duty shall require Business Associate, at Covered Entity’s request, to provide notices (to Persons other than Covered Entity, including individuals, HHS, and others) in accordance with the HITECH Act. Business Associate shall not give any such notice absent Covered Entity’s request.
e. Costs Related to Inappropriate Use, Access or Disclosure of PHI. If Business Associate fails to adhere to any of the privacy, confidentiality, and/or data security provisions set forth in this BAA or if there is a Breach or Security Incident of PHI in Business Associate’s possession and, as a result, PHI or any other confidential information is unlawfully accessed, used or disclosed, it agrees to pay and reimburse Covered Entity for any and all costs, direct or indirect, incurred by Covered Entity associated with any Security Incident or Breach notification obligations. Business Associate also agrees to pay for any and all fines and/or administrative penalties imposed for such unauthorized access, use or disclosure of confidential information or for delayed reporting if it fails to notify the Covered Entity of the Breach or Security Incident as required by this BAA.
f. Mitigation. Business Associate shall have procedures in place to mitigate, to the maximum extent practicable, any deleterious effect from any use or disclosure of PHI in violation of this BAA or applicable law.
g. Sanctions. Business Associate shall have and apply appropriate sanctions against any employee, subcontractor or agent who uses or discloses PHI in violation of this BAA or applicable law.
h. Covered Entity’s Rights of Access and Inspection. From time to time, upon reasonable notice or upon a reasonable determination by Covered Entity that Business Associate has materially breached this BAA, Covered Entity may inspect the facilities, systems, books and records of Business Associate to monitor compliance with this BAA. The fact that Covered Entity inspects, fails to inspect or has the right to inspect, Business Associate’ facilities, systems and procedures does not relieve Business Associate of its responsibility to comply with this BAA, nor does Covered Entity’s (i) failure to detect or (ii) detection of, but failure to notify Business Associate or require Business Associate’ remediation of, any unsatisfactory practices constitute acceptance of such practice or a waiver of Covered Entity’s enforcement or termination rights under this BAA. The Parties’ respective rights and obligations under this Section 4(h) shall survive termination of this BAA.
i. U.S. Department of Health and Human Services. Business Associate shall make its internal practices, books and records relating to the use and disclosure of PHI, and the security of Electronic PHI, available to HHS for purposes of determining Covered Entity’s compliance with the Privacy Rule, the Security Rule and the HITECH Standards after the compliance dates, respectively, of these regulations and standards; provided, however, that Business Associate shall immediately notify Covered Entity upon receipt by Business Associate of any such request for access by the Secretary of HHS and shall provide Covered Entity with a copy thereof as well as a copy of all materials disclosed pursuant thereto. The Parties’ respective rights and obligations under this Section 4(i) shall survive termination of this BAA.
j. Standard Transactions. To the extent Business Associate conducts Standard Transaction(s) on behalf of Covered Entity, Business Associate shall, without limitation, comply with the HIPAA Regulations, “Administrative Requirements for Transactions,” 45 C.F.R. § 162.100 et seq., and shall not: (a) Change the definition, data condition or use of a data element or segment in a standard; (b) Add any data elements or segments to the maximum defined data set; (c) Use any code or data elements that are either marked “not used” in the standard’s implementation specification or are not in the standard’s implementation specification(s); or (d) Change the meaning or intent of the standard’s implementation specifications.
5. Obligation to Provide Access, Amendment and Accounting of PHI.
a. Access to PHI. Business Associate shall make available to Covered Entity such information as Covered Entity may require to fulfill Covered Entity’s obligations to provide access to, and copies of, PHI in accordance with HIPAA, the Privacy Rule and the HITECH Standards.
b. Amendment of PHI. Business Associate shall make available to Covered Entity such information as Covered Entity may require to fulfill Covered Entity’s obligations to amend PHI in accordance with HIPAA, the Privacy Rule and the HITECH Standards. In addition, Business Associate shall, as directed by Covered Entity, incorporate any amendments to Covered Entity’s PHI into copies of such information maintained by Business Associate.
c. Accounting of Disclosures of PHI.
(i) Business Associate shall make available to Covered Entity such information as Covered Entity may require to fulfill Covered Entity’s obligations to provide an accounting of disclosures with respect to PHI in accordance with HIPAA, the Privacy Rule and the HITECH Standards.
(ii) Business Associate agrees to maintain a process that allows for such accountings to be provided to Covered Entity upon request. Such accountings shall include (1) the date of disclosure, (2) the name of the entity or person who received PHI and, if known, the address of the entity or person, (3) a brief description of PHI disclosed, and (4) a brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure or a copy of the written request for disclosure.
(iii) Upon termination or expiration of the Service BAA, Business Associate shall provide to Covered Entity an accounting of all such disclosures made during the existence of the Service BAA.
d. Forwarding Requests from Individuals. In the event that any individual requests access to, amendment of or accounting of PHI directly from Business Associate, Business Associate shall within five (5) days forward such request to Covered Entity. Covered Entity shall have the responsibility of responding to forwarded requests. However, if forwarding the individual’s request to Covered Entity would cause Covered Entity or Business Associate to violate HIPAA, the Privacy Rule or the HITECH Standards, Business Associate shall instead respond to the individual’s request as required by such law and notify Covered Entity of such response as soon as practicable.
6. Material Breach, Enforcement and Termination.
a. Term. This BAA shall be effective as of the Effective Date and shall continue until the earlier of termination of the Agreement or if the BAA is terminated in accordance with the provisions of Section 6(b) hereof.
b. Termination. Business Associate may terminate this BAA pursuant to Section 6(c) hereof. Covered Entity may terminate this BAA:
(i) immediately if Business Associate is named as a defendant in a criminal proceeding for a violation of HIPAA, the Privacy Rule, the Security Rule or the HITECH Standards; or
(ii) immediately if a finding or stipulation that Business Associate has violated any standard or requirement of HIPAA, HITECH or other security or privacy laws is made in any administrative or civil proceeding in which Business Associate has been joined.
c. Remedies. If Business Associate determines that Covered Entity has materially breached any term of this BAA, Business Associate may pursue any or all of the following remedies:
(i) take any reasonable steps that Business Associate deems necessary to cure such breach or end such violation; and
(ii) terminate this BAA immediately.
If Covered Entity determines that Business Associate has materially breached any term of this BAA, Covered Entity may pursue any or all of the following remedies:
(iii) exercise any of its rights of access and inspection under Section 4(h) of this BAA;
(iv) take any reasonable steps that Covered Entity deems necessary to cure such breach or end such violation; and
(v) terminate this BAA and the Service BAA immediately.
d. Knowledge of Non-Compliance. Any material non-compliance by Business Associate with HIPAA, the Privacy Rule, the Security Rule or the HITECH Standards will be considered a material breach of this BAA if Business Associate knew or reasonably should have known of such noncompliance and failed to take reasonable steps to cure such non-compliance.
e. Reporting to HHS.
(i) If Covered Entity’s efforts to cure any material breach by Business Associate of this BAA are unsuccessful and if termination of this BAA is not feasible, Covered Entity may report the breach to the Secretary of HHS, and Business Associate agrees that it will not make any claims, whether at law, in equity or under this BAA, against Covered Entity with respect to such report.
(ii) If Business Associate’ efforts to cure any material breach by Covered Entity of this BAA are unsuccessful and if termination of this BAA is not feasible, Business Associate may report the breach to the Secretary of HHS, and Covered Entity agrees that it will not make any claims, whether at law, in equity or under this BAA, against Business Associate with respect to such report.
f. Effects of Termination. Upon termination of this BAA, Business Associate shall return or destroy, as specified by Covered Entity, all PHI that Business Associate maintains in any form and shall retain no copies of such PHI. If Covered Entity requests that Business Associate destroy any or all PHI, Business Associate shall certify to Covered Entity that such PHI has been destroyed. If return or destruction is not feasible, including if return is inconsistent with any legal obligation related to the retention of documents, Business Associate shall inform Covered Entity of the reason it is not feasible and shall continue to extend the protections of this BAA to such information and limit further use and disclosure of such PHI to those purposes that make the return or destruction of such PHI infeasible. The Parties’ respective rights and obligations under this Section 6(f) shall survive termination of this BAA.
7. Miscellaneous Terms.
a. State Law. Nothing in this BAA shall be construed to require Business Associate to use or disclose PHI without a written authorization from an individual who is a subject of the PHI, or written authorization from any other person, where such authorization would be required under state law for such use or disclosure.
b. Assistance in Litigation or Administrative Proceedings. Each Party shall make itself, and its employees or agents assisting it in the performance of its obligations under this BAA, available to the other Party at no cost to testify as witnesses or otherwise, in the event of litigation or administrative proceedings being commenced against such Party, its directors, officers or employees based upon a claimed violation of HIPAA, the HIPAA Regulations or other laws relating to security and privacy, except where a Party or its employee or agent is a named adverse party. The Parties’ respective rights and obligations under this Section 7(b) shall survive termination of this BAA.
c. Amendment. Covered Entity and Business Associate agree that amendment of this BAA may be required to ensure that Covered Entity and Business Associate comply with changes in state and federal laws and regulations relating to the privacy, security and confidentiality of PHI, including, but not limited to, changes under the Privacy Rule, the Security Rule and the HITECH Standards. Covered Entity may terminate this BAA upon thirty (30) calendar days written notice in the event that Business Associate does not promptly enter into an amendment that Covered Entity, in its sole discretion, deems sufficient to ensure that Covered Entity will be able to comply with such laws and regulations. This BAA may not otherwise be amended except by written agreement between both Parties.
d. No Third Party Beneficiaries. Nothing express or implied in this BAA is intended or shall be deemed to confer any rights, obligations, remedies or liabilities upon any person other than the Parties and their respective successors and assigns.
e. Disclaimer. Each Party makes no warranty or representation that compliance by the other Party with this BAA, HIPAA, the Privacy Rule, the Security Rule and the HITECH Standards will be adequate or satisfactory for such other Party’s own purposes.
f. Interpretation. The Parties agree that any ambiguity in this BAA shall be resolved in favor of a meaning that complies and is consistent with applicable law protecting the privacy, security and confidentiality of PHI, including, but not limited to, HIPAA, the Privacy Rule, the Security Rule and the HITECH Standards.
g. Effect on Other BAAs. To the extent that any provisions of this BAA conflict with the provisions of the Agreement or any other agreement or understanding between the Parties, this BAA shall control with respect to the subject matter of this BAA.
h. Survival. The Parties’ respective rights and obligations under Sections 5(h), 5(i), 6(f), 6(g) and 7(b) and others which by their nature are intended to survive the termination of this BAA shall survive termination of this BAA. All provisions of this BAA shall survive the termination or expiration of the Agreement.
i. Governing Law. This BAA shall be construed in accordance with the laws of the State of California.