Business Associate Agreement (BAA)
Last Updated: August 20, 2024
This Business Associate Agreement (“BA Agreement”) is effective as of the date of Provider’s acceptance (the “Effective Date”) and is entered into by and between certain provider of health services (the “Provider” or “Covered Entity”) and Wellin5 USA, Inc. (the “Business Associate”) (each a “Party” and collectively the “Parties”).
RECITALS
WHEREAS, Provider and Business Associate are parties an agreement setting forth services that require Business Associate to have access to Protected Health Information; and
WHEREAS, it is the intent of Provider and Business Associate that this BA Agreement is a part of the Terms and Conditions for Providers (https://therachat.freshdesk.com/support/solutions/articles/151000118424-therachat-terms-of-service-for-service-providers), and for the parties to comply with HIPAA.
NOW THEREFORE, in consideration of the mutual premises and covenants contained herein and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, Provider and Business Associate agree as follows:
AGREEMENT
I. GENERAL PROVISIONS
Section I.1. Effect. The provisions of this BA Agreement shall control with respect to Protected Health Information that Business Associate receives from or on behalf of Provider, and the terms and provisions of this BA Agreement shall supersede any conflicting or inconsistent terms and provisions of the Services Agreement, including all exhibits or other attachments thereto and all documents incorporated therein by reference, to the extent of such conflict or inconsistency. This BA Agreement shall not modify or supersede any other provision of the Services Agreement.
Section I.2. No Third-Party Beneficiaries. The parties have not created and do not intend to create by this BA Agreement any third-party rights, including, but not limited to, third party rights for Provider’s patients.
Section I.3. Independent Contractor. Provider and Business Associate acknowledge and agree that Business Associate is at all times acting as independent contractor of Provider under this BA Agreement and not as an employee, agent, partner or joint venturer of Provider.
Section I.4. HIPAA Amendments. Any future amendments to HIPAA affecting business associate agreements are hereby incorporated by reference into this Addendum as if set forth in this BA Agreement in their entirety, effective on the later of the effective date of this Agreement or such subsequent date as may be specified by HIPAA.
Section I.5. Regulatory References. A reference in this BA Agreement to a section in HIPAA means the section as it may be amended from time-to-time.
II. OBLIGATIONS OF BUSINESS ASSOCIATE
Section II.1. Use and Disclosure of Protected Health Information. Business Associate may use and disclose Protected Health Information as permitted or required under this BA Agreement or as Required by Law but shall not otherwise use or disclose any Protected Health Information. Business Associate shall not and shall assure that its employees, other agents and contractors do not use or disclose Protected Health Information received from Provider in any manner that would constitute a violation of HIPAA if so used or disclosed by Provider (except as set forth in Sections 2.1(a), (b) and (c) of this BA Agreement). To the extent Business Associate carries out any of Provider’s obligations under HIPAA, Business Associate shall comply with the requirements of HIPAA that apply to Provider in the performance of such obligations. Without limiting the generality of the foregoing, Business Associate is permitted to use or disclose Protected Health Information as set forth below:
- Business Associate may use Protected Health Information internally for Business Associate’s proper management and administrative services or to carry out its legal responsibilities.
- Business Associate may disclose Protected Health Information to a third party for Business Associate’s proper management and administration, provided that (1) the disclosure is Required by Law, (2) Business Associate makes the disclosure pursuant to an agreement consistent with Section 2.6 of this BA Agreement or (3) Business Associate makes the disclosure pursuant to a written confidentiality agreement under which the third party is required to (i) protect the confidentiality of the Protected Health Information, (ii) only use or further disclose the Protected Health Information as Required by Law or for the purpose for which it was disclosed to the third party and (iii) notify Provider of any acquisition, access, use, or disclosure of Protected Health Information in a manner not permitted by the confidentiality agreement.
- Business Associate may use Protected Health Information to provide Data Aggregation services relating to the Health Care Operations of Provider if required or permitted under the Services Agreement or this BA Agreement.
- If permitted by the Services Agreement, Business Associate may use Protected Health Information to create de-identified health information in accordance with the HIPAA de-identification requirements. Business Associate may disclose health information that has been de-identified in accordance with HIPAA subject to the terms and conditions of the Services Agreement.
Section II.2. Safeguards. Business Associate shall use appropriate safeguards to prevent the use or disclosure of Protected Health Information other than as permitted or required by this BA Agreement. In addition, Business Associate shall implement Administrative Safeguards, Physical Safeguards and Technical Safeguards that reasonably and appropriately protect the Confidentiality, Integrity and Availability of Electronic Protected Health Information that it creates, receives, maintains or transmits on behalf of Provider. Business Associate shall comply with the HIPAA Security Rule with respect to Electronic Protected Health Information.
Section II.3. Minimum Necessary Standard. To the extent required by the “minimum necessary” requirements of HIPAA, Business Associate shall only request, use and disclose the minimum amount of Protected Health Information necessary to accomplish the purpose of the request, use or disclosure. Business Associate shall comply with the minimum necessary guidance to be issued by the Secretary pursuant to HIPAA and, to the extent practicable, shall not request, use or disclose any Direct Identifiers (as defined in the limited data set standard of HIPAA).
Section II.4. Mitigation. Business Associate shall take reasonable steps to mitigate, to the extent practicable, any harmful effect (that is known to Business Associate) of a use or disclosure of Protected Health Information by Business Associate in violation of this BA Agreement or HIPAA.
Section II.5. Subcontractors. Business Associate shall enter into a written agreement meeting the requirements of 45 C.F.R. §§ 164.504(e) and 164.314(a)(2) with each Subcontractor (including, without limitation, a Subcontractor that is an agent under applicable law) that creates, receives, maintains or transmits Protected Health Information on behalf of Business Associate. Business Associate shall ensure that the written agreement with each Subcontractor obligates the Subcontractor to comply with restrictions and conditions that are at least as restrictive as the restrictions and conditions that apply to Business Associate under this BA Agreement.
Section II.6. Reporting Requirements.
- Business Associate shall, without unreasonable delay, but in no event later than five business days after becoming aware of any acquisition, access, use, or disclosure of Protected Health Information in violation of this BA Agreement by Business Associate, its employees, other agents, or contractors or by a third party to which Business Associate disclosed Protected Health Information (each, an “Unauthorized Use or Disclosure”), report such Unauthorized Use or Disclosure to Provider.
- Business Associate shall, without unreasonable delay, but in no event later than five business days after becoming aware of any Security Incident, report it to Provider.
- Business Associate shall, without unreasonable delay, but in no event later than five business days after discovery of a Breach of Protected Health Information (whether secure or unsecured), report such Breach to Provider in accordance with 45 C.F.R. § 164.410.
Section II.7. Access to Protected Health Information. Within ten business days of a request by Provider for access to Protected Health Information about an Individual contained in any Designated Record Set of Provider maintained by Business Associate, Business Associate shall make available to Provider such Protected Health Information for so long as Business Associate maintains such information in the Designated Record Set. If Business Associate receives a request for access to Protected Health Information directly from an Individual, Business Associate shall forward such request to Provider within five business days.
Section II.8. Availability of Protected Health Information for Amendment. Within ten business days of receipt of a request from Provider for the amendment of an Individual’s Protected Health Information contained in any Designated Record Set of Provider maintained by Business Associate, Business Associate shall provide such Protected Health Information to Provider for amendment and incorporate any such amendments in the Protected Health Information (for so long as Business Associate maintains such information in the Designated Record Set) as required by 45 C.F.R. § 164.526. If Business Associate receives a request for amendment to Protected Health Information directly from an Individual, Business Associate shall forward such request to Provider within five business days.
Section II.9. Accounting of Disclosures. Within ten business days of notice by Provider to Business Associate that it has received a request for an accounting of disclosures of Protected Health Information (other than disclosures to which an exception to the accounting requirement applies), Business Associate shall make available to Provider such information as is in Business Associate’s possession and is required for Provider to make the accounting required by 45 C.F.R. § 164.528. If Business Associate receives a request for an accounting directly from an Individual, Business Associate shall forward such request to Provider within five business days.
Section II.10. Availability of Books and Records. Business Associate shall make its internal practices, books and records relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of, Provider available to the Secretary for purposes of determining Provider’s and Business Associate’s compliance with HIPAA.
Section II.11. Restrictions; Limitations in Notice of Privacy Practices. Business Associate shall comply with any reasonable limitation in Provider’s notice of privacy practices to the extent that such limitation may affect Business Associate’s use or disclosure of Protected Health Information. Business Associate shall comply with any reasonable restriction on the use or disclosure of Protected Health Information that Provider has agreed to or is required to abide by under 45 C.F.R. § 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of Protected Health Information.
Section II.12. Indemnification. Business Associate shall reimburse, indemnify and hold harmless Provider for all costs, expenses (including reasonable attorney’s fees), damages and other losses resulting from any breach of this BA Agreement, any violation of HIPAA or other federal or state laws, Unauthorized Use or Disclosure, Security Incident or Breach of Protected Health Information maintained by Business Associate or Business Associate’s agent or subcontractor, including, without limitation: fines or settlement amounts owed to a state or federal government agency; the cost of any notifications to Individuals or government agencies; credit monitoring for affected Individuals; or other mitigation steps taken by Provider. This Section 2.12 shall survive the expiration or earlier termination of this BA Agreement.
III. Termination of Agreement
Section III.1. Termination Upon Breach of this BA Agreement. Any other provision of the Services Agreement notwithstanding, Provider may terminate the Services Agreement and this BA Agreement upon 30 days advance written notice to Business Associate in the event that Business Associate breaches this BA Agreement in any material respect and such breach is not cured to the reasonable satisfaction of Provider within such 30-day period provided, however, that in the event that termination of this BA Agreement is not feasible, in Provider’s sole discretion, Provider may report the breach to the Secretary.
Section III.2. Return or Destruction of Protected Health Information upon Termination. Upon expiration or earlier termination of the Services Agreement or this BA Agreement, Business Associate shall either return or destroy all Protected Health Information received from Provider or created or received by Business Associate on behalf of Provider and which Business Associate still maintains in any form. Notwithstanding the foregoing, to the extent that Provider reasonably determines that it is not feasible to return or destroy such Protected Health Information, the terms and provisions of this BA Agreement shall survive termination, and such Protected Health Information shall be used or disclosed solely for such purpose or purposes which prevented the return or destruction of such Protected Health Information.
IV. COUNTERPARTS
This BA Agreement may be executed in two counterparts, each of which shall be deemed an original but both of which together shall constitute one and the same instrument. Copies of signatures sent by facsimile transmission or scanned and sent by email are deemed to be originals for purposes of execution and proof of this Agreement.
If you are a Provider, by creating an account and checking the box, you are hereby agreeing to the terms in this BA Agreement.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article