Business Association Agreement


WHEREAS, Client is a “Covered Entity” as such term is defined under the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as amended and supplemented by Title XII, Subtitle D of the Health Information Technology for Economic and Clinical Health Act of 2009 (the “HITECH Act”), and the regulations promulgated pursuant to each, including the Standards for Privacy of Individually Identifiable Health Information, the Security Standards for the Protection of Electronic Health Information, and rules for Notification in Case of Breach of Unsecured Protected Health Information at 45 CFR part 160 and part 164.  HIPAA, the HITECH Act and the regulations promulgated pursuant to each shall collectively be referred to herein as the “HIPAA Rules”.

WHEREAS, Business Associate and Client have entered into that certain Services Agreement with the same effective date as this BAA under which Business Associate acts as a “business associate” as that term is defined in 45 C.F.R. § 160.103 of Covered Entity. 

WHEREAS, Covered Entity is required to enter into this Business Associate Agreement to obtain satisfactory assurances that Business Associate will appropriately safeguard all Protected Health Information created, received, maintained or transmitted by Business Associate from or on behalf of Covered Entity as required by the HIPAA Rules.

NOW THEREFORE, in consideration of the mutual provisions and covenants contained in this BAA and the Services Agreement and other good and valuable consideration, receipt of which is hereby acknowledged and intending to be legally bound hereby, the Parties covenant and agree as follows:

Definitions:  Terms used, but not otherwise defined, in this BAA shall have the same meaning as those terms in the HIPAA Rules.

  1. “Protected Health Information” shall have the same meaning as the term “protected health information” in 45 CFR 160.103, limited to the information created, received, maintained or transmitted by Business Associate from or on behalf of Covered Entity.

  2. “Required By Law” shall have the same meaning as the phrase “Required by law” under the HIPAA Rules. 
  3. “Services Agreement” shall mean the underlying agreement between Business Associate and Covered Entity under which Protected Health Information may be disclosed to Business Associate.

Obligations and Activities of Business Associate

  1. Business Associate represents and warrants that it will comply with the HIPAA Rules as required by HIPAA, the HITECH Act and the regulations promulgated pursuant to each, including without limitation, the requirements of Title XII, Subtitle D of the HITECH Act, codified at 42 U.S.C. §§ 17921-17953, which are applicable to a “business associate,” as such term is defined in the HIPAA Rules, and will comply with all regulations issued pursuant thereto.

  2. Business Associate agrees to not use or disclose Protected Health Information other than as permitted or required by this BAA or as Required By Law.

  3. Business Associate has established and will maintain appropriate administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of Protected Health Information (whether electronic or otherwise), as required by the HIPAA Rules and as described in Business Associate’s AICPA SSAE-18 System Organization Control (SOC) 2 Type II report.

  4. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate or any of its employees, agents or subcontractors in violation of the requirements of this BAA or the HIPAA Rules.

  5. Business Associate agrees to report in writing to Covered Entity any (i) Breach of Unsecured Protected Health Information and/or (ii) any acquisition, access, use or disclosure of Protected Health Information not permitted by this BAA or Services Agreement, including any Security Incident, of which it becomes aware (collectively, a “Notifying Event”).  Such report must be provided to Covered Entity within five days of Business Associate’s discovery of such Notifying Event.  Business Associate shall cooperate and coordinate with Covered Entity to determine additional actions that may be required of Business Associate for mitigation of a Notifying Event.  Notwithstanding the foregoing, the Parties agree and acknowledge that Business Associate is subject to common, unsuccessful attempts to access its systems that do not result in any unauthorized access, use, disclosure, modification, destruction of information or interference with system operations (“Unsuccessful Security Incidents”). Business Associate hereby notifies Covered Entity of Unsuccessful Security Incidents including, but not limited to, ping sweeps or other common network reconnaissance techniques, attempts to log on to a system with an invalid password or username, and denial of service attacks that do not result in a server being taken off line, which will occur from time to time. The preceding sentence shall be deemed to meet requirements for reporting of such Unsuccessful Security Incidents under this BAA.

  6. Business Associate agrees to ensure that any agent, including a subcontractor, who will have access to, create, receive, maintain, or transmit Protected Health Information of Covered Entity on behalf of Business Associate agrees in writing to the restrictions and conditions that are no less restrictive than those that apply to Business Associate under this BAA and which are required to comply with HIPAA Rules with respect to such Protected Health Information, including, but not limited to, (a) the obligation to comply with the HIPAA Rules; and (b) the obligation to implement reasonable and appropriate safeguards to protect the Protected Health Information.  The Parties agree and acknowledge that Business Associate may have certain agreements with subcontractors that, while meeting the requirements of this BAA and the HIPAA Rules, do not contain identical language with this BAA. 
  7. Covered Entity and Business Associate acknowledge and agree that their proposed relationship, as set forth in the Services Agreement, does not contemplate that Business Associate will maintain or otherwise possess a Designated Record Set, as defined in the HIPAA Rules.  If Covered Entity wishes for Business Associate to maintain or otherwise possess a Designated Record Set, then Covered Entity will notify Business Associate in writing and propose an amendment to the Services Agreement.  To the extent Business Associate maintains Protected Health Information in a Designated Record Set, Business Associate agrees to provide access, at the request of Covered Entity or an Individual, to Protected Health Information in a Designated Record Set, to Covered Entity or to an Individual in order to meet the requirements under 45 CFR 164.524 and the HIPAA Rules.  To the extent that such Protected Health Information is maintained in an Electronic Health Record, Business Associate agrees to produce a copy of such Protected Health Information in electronic format upon Covered Entity’s or an Individual’s request in accordance with the Section 13405(e) of the HITECH Act, codified at 42 U.S.C. § 17935(e), and regulations promulgated pursuant thereto.

  8. To the extent Business Associate maintains Protected Health Information in a Designated Record Set, Business Associate agrees to make any amendment(s) to Protected Health Information in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 CFR 164.526 at the request of Covered Entity or an Individual.

  9. Business Associate agrees to make internal practices, books, and records, including Protected Health Information and policies and procedures relating to the use and disclosure of Protected Health Information, available to the Secretary, in a time and manner designated by the Secretary, for purposes of the Secretary determining Covered Entity’s or Business Associate’s compliance with the HIPAA Rules or Business Associate’s compliance with this BAA. 

  10. Business Associate agrees to document such disclosures of Protected Health Information and information related to such disclosures as would be required for Covered Entity or Business Associate to timely respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR 164.528 or the effective provisions of Section 13405(c) of the HITECH Act, codified at 42 U.S.C. § 17935(b), and effective regulations promulgated thereto. 

  11. Business Associate agrees to provide to Covered Entity or an Individual, information collected in accordance with Section B.10 of this BAA, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR 164.528 or the effective provisions of Section 13405(c) of the HITECH Act, codified at 42 U.S.C. § 17935(b), and effective regulations promulgated thereto.  To the extent Protected Health Information is maintained in an Electronic Health Record, Business Associate further agrees to provide an accounting of disclosures of Protected Health Information upon request by Covered Entity or an Individual in accordance with Section 13405(c) of the HITECH Act, codified at  42 U.S.C. § 17935(b), and effective regulations promulgated thereto.

  12. Business Associate agrees to restrict the use or disclosure of Protected Health Information as required by Section 13405(a) of the HITECH Act, as codified at 42 U.S.C. § 17935(a), and regulations promulgated thereto, as requested by Covered Entity or an Individual. 

  13. To the extent Protected Health Information is maintained in an Electronic Health Record, Business Associate agrees to comply with the prohibition on the sale of Protected Health Information without an Individual’s authorization and written permission of Covered Entity in accordance with Section 13405(d) of the HITECH Act, as codified at 42 U.S.C. § 17935(d), and regulations promulgated thereto.

  14. Business Associate agrees to comply with the conditions on certain Marketing Health Care Operations communications unless permitted by this BAA and Section 13406 of the HITECH Act, codified at 42 U.S.C. § 17936, and regulations promulgated thereto.

  15. Covered Entity and Business Associate acknowledge and agree that their proposed relationship, as set forth in the Services Agreement, does not contemplate that Business Associate will carry out one or more of Covered Entity’s obligations under Subpart E of 45 C.F.R. Part 164.  If Covered Entity wishes for Business Associate to carry out such obligations, then Covered Entity will notify Business Associate in writing and propose an amendment to the Services Agreement.  To the extent that Business Associate is to carry out one or more of Covered Entity’s obligations under Subpart E of 45 C.F.R. Part 164, Business Associate agrees to comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligations.

Permitted Uses and Disclosures by Business Associate; General Use and Disclosure Provisions

Except as otherwise limited in this BAA, Business Associate may use or disclose Protected Health Information to perform functions, activities, or services for, or on behalf of, Covered Entity as specified in the Services Agreement, provided that such use or disclosure would not violate the HIPAA Rules if done by Covered Entity or Business Associate or the Minimum Necessary policies and procedures of the Covered Entity.  To the extent practicable, any use or disclosure of Protected Health Information shall be limited to a Limited Data Set or the Minimum Necessary to accomplish the intended purpose of such use or disclosure, or otherwise comply with guidance on “minimum necessary” as promulgated by the Secretary in accordance with Section 13405(b) of the HITECH Act, as codified at 42 U.S.C. § 17935(b).

Specific Use and Disclosure Provisions

  1. Except as otherwise limited in this BAA, Business Associate may use Protected Health Information for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate.

  2. Except as otherwise limited in this BAA, Business Associate may disclose Protected Health Information for the proper management and administration of the Business Associate, provided that disclosures are Required By Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.

  3. Except as otherwise limited in this BAA, Business Associate may use Protected Health Information to provide Data Aggregation services to Covered Entity upon Covered Entity’s request as permitted by 45 CFR 164.504(e)(2)(i)(B).

  4. Business Associate may de-identify Protected Health Information solely for uses specified in the applicable Services Agreement, provided that such Protected Health Information has been de-identified in compliance with 45 C.F.R. § 164.514(b) such that the resulting data does not identify an individual.

  5. Business Associate may use Protected Health Information to report violations of law to appropriate Federal and State authorities, consistent with 45 CFR 164.502(j)(1).

Obligations of Covered Entity

  1. Covered Entity shall notify and consult with Business Associate as to any limitation(s) in its notice of privacy practices of Covered Entity in accordance with 45 CFR 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of Protected Health Information and provide a reasonable period of time for Business Associate to address such limitations.  Business Associate is not obligated to agree to any limitations that cannot be supported by its then-current business operations.  To the extent that Business Associate will incur any costs in connection with complying with such limitations, then Covered Entity will pay for such costs.  Covered Entity shall notify and consult with Business Associate as to any restriction to the use or disclosure of Protected Health Information that Covered Entity has agreed to in accordance with 45 CFR 164.522 or Section 13405(a) of the HITECH Act, as codified at 42 U.S.C. § 17935(a), and regulations promulgated thereto, to the extent that such restriction may affect Business Associate’s use or disclosure of Protected Health Information.  Covered Entity will provide a reasonable period of time for Business Associate to address such restrictions.   Business Associate is not obligated to agree to any restrictions that cannot be supported by its then-current business operations.  To the extent that Business Associate will incur any costs in connection with complying with such restrictions, then Covered Entity will pay for such costs. 

  2. Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by Individual to use or disclose Protected Health Information, to the extent that such changes may affect Business Associate’s use or disclosure of Protected Health Information.
  3. Except as provided above regarding data aggregation and management and administrative activities of Business Associate, Covered Entity shall not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity.

Term and Termination

  1. Term.  The Term of this BAA shall be effective as of the Effective Date of the Services Agreement and shall terminate  with the Services Agreement. 

  2. Termination for Cause.  Upon Covered Entity’s knowledge of a material breach by Business Associate, Covered Entity shall either:

    1. Provide an opportunity for Business Associate to cure the breach or end the violation and terminate this BAA and the Services Agreement if Business Associate does not cure the breach or end the violation within the time specified by Covered Entity, which shall not be less than thirty (30) days; or

    2. Immediately terminate this BAA and the Services Agreement if Business Associate has breached a material term of this BAA and cure is not possible.
  3. Effect of Termination.

    1. Except as provided in paragraph (b) of this section, upon termination of this BAA, for any reason, Business Associate shall return or destroy all Protected Health Information.  This provision shall apply to Protected Health Information that is in the possession of subcontractors or agents of Business Associate.  Business Associate shall retain no copies of the Protected Health Information.

    2. In the event that Business Associate determines that returning or destroying the Protected Health Information is infeasible, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction infeasible.  Upon determining that return or destruction of Protected Health Information is infeasible, Business Associate shall extend the protections of this BAA and the HIPAA Rules to such Protected Health Information and limit further uses and disclosures of such Protected Health Information to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such Protected Health Information.

Miscellaneous

  1. Survival.  The respective rights and obligations of Business Associate under Section B.5 and Section F.3 of this BAA shall survive the expiration or termination of this BAA.

  2. Interpretation.  Any ambiguity in this BAA shall be resolved to permit Covered Entity to comply with the HIPAA Rules.  Section 9 (Limitation of Liability) of Exhibit A to the Services Agreement applies to this BAA.
  3. No Third Party Beneficiaries.  This BAA shall not confer any benefit or rights upon any person other than the parties hereto, and no third party shall be entitled to enforce any obligation, responsibility, or claim of either party to this BAA, unless expressly provided otherwise in this BAA.

  4. Choice of Law.  The law of the State of Florida shall govern this BAA without regard to its rules governing conflicts of law. 

  5. Binding Nature and Assignment.  This BAA and the rights and obligations of a Party hereto may be assigned only upon the prior written approval of the other Party, which is not to be unreasonably withheld or delayed, except no such approval shall be required for an assignment by a Party to a party in connection with such Party’s reorganization, merger, consolidation, sale, acquisition or other restructuring involving all or substantially all of the voting securities or assets of the applicable business line of such Party.  The rights and obligations of the Parties will inure to the benefit of, will be binding upon, and will be enforceable by the Parties and their lawful successors, authorized assigns, and representatives.

  6. Notices.  Any notices required or permitted under this BAA shall be deemed effective (a) on the day when personally delivered to a party, or (b) upon delivery if sent by registered or certified mail, return receipt requested, postage prepaid, to such party at the addresses set forth below.  In addition, Business Associate will accept written notice by email delivered to notices@Springbig.com with receipt deemed when Business Associate replies by email to the sender’s email address and acknowledges having received such written notice, provided that an automatic “read receipt,” out of office message or similar automated message will not constitute acknowledgment of an email for purposes of this Section.  Either party may only change its address for notices under this Section by a written notice to the other party given in accordance with this Section.

  7. Waiver.  No waiver or discharge of obligations arising under this BAA shall be valid unless in writing and executed by the Party against whom such waiver or discharge is sought to be enforced.  The waiver by either Party to this BAA of a breach of any provisions of this BAA shall not operate or be construed as a waiver of any subsequent breach of the same or any other provision of this BAA.

  8. Change in Law; Amendments

    1. A reference in this BAA to a provision of HIPAA, the HITECH Act or each of their implementing regulations means such provision as in effect or as amended.

    2. No amendment or modification of this BAA will be effective except by a written amendment executed by the Party against whom such amendment or modification is sought to be enforced. 
    3. The Parties acknowledge that it may be necessary to amend this BAA from time to time as required by the provisions of the HIPAA Rules, or other applicable law, to ensure that this BAA is consistent with all such laws and regulations.  The Parties agree to take such action to amend this BAA from time to time as is necessary for Covered Entity and Business Associate to comply with the requirements of the HIPAA Rules and other applicable laws and regulations.  This BAA may be terminated by either party upon thirty (30) days prior written notice to the other party, or upon such lesser notice as required by applicable law, if the parties fail to reach written agreement on modifications to this BAA needed to comply with the provisions of applicable law. 

 

IN WITNESS WHEREOF, the Parties have caused this Business Associate Agreement to be duly executed in their respective names and on their behalf effective as of the date set forth above.