Business Associate Agreement Attachment For eReferrals

THIS BUSINESS ASSOCIATE AGREEMENT (“BAA”) is incorporated into and made part of the eReferrals Services Schedule https://thinkresearch.com/ca/company-overview/msa/schedule-ereferrals/. This Attachment applies solely to personal health information as defined in HIPPA and applies solely to Customer’s located in the United States. For the purposes of this Attachment, the Customer shall be deemed to mean (the “Covered Entity”) and Think Research, shall be defined as (the “Business Associate”). Unless otherwise defined in this BAA, capitalized terms will have the meaning given to them in the Master Services Agreement.

RECITALS

1. Covered Entity is a health care provider subject to the Health Insurance Portability and Accountability Act of 1996, the HITECH Act, and regulations promulgated thereunder (“HIPAA”).
2. Business Associate, through the provision of services on behalf of the Covered Entity pursuant to that license agreement entered into between the parties (the “Agreement”), is a “business associate” of the Covered Entity as that term is defined in 45 C.F.R. § 160.103, and is subject to the Security Rule and certain provisions of the Privacy Rule.
3. Covered Entity is required by HIPAA to obtain satisfactory assurances that Business Associate will appropriately safeguard all Protected Health Information and Electronic Protected Health Information disclosed by, or created or received by Business Associate on behalf of, Covered Entity.

NOW, THEREFORE, in consideration of entering into the Agreement and the mutual promises and agreements below and in order to comply with all legal requirements, the parties agree as follows:

1. DEFINITIONS
   1. “Agreement” has the meaning set forth in the preamble.
   2. “ARRA Breach” has the same meaning as the term “Breach” in Section 13400(1) of the HITECH Act (i.e. 42 USCA 17921) and 45 CFR 164.402.
   3. “Business Associate” has the meaning set forth in the preamble.
   4. “Covered Entity” has the meaning set forth in the preamble.
   5. “Data Aggregation” means the combining of PHI created or received under this BAA with the PHI Business Associate receives or creates in its arrangement with another covered entity under the Privacy Rule to permit data analysis that relate to the Health Care Operations of the covered entities.
   6. “Designated Record Set” means a group of records maintained by or for the Covered Entity that is:  (i) the medical records and/or billing records about Individuals; (ii) the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or (iii) used, in whole or in part, by or for the Covered Entity to make decisions about Individuals.  As used herein the term “record” means any item, collection, or grouping of information that includes PHI and is maintained, collected, used or disseminated by or for the Covered Entity.
   7. “Effective Date” has the meaning set forth in the preamble.
   8. “Electronic PHI” means information that comes within paragraphs 1(i) or 1(ii) of the definition of “protected health information,” as defined in 45 C.F.R. § 160.103, limited to the information created, received, maintained or transmitted by Business Associate on behalf of Covered Entity.
   9. “HIPAA” has the meaning set forth in the Recitals.
   10. “HITECH Act” means Title XIII and Title IV of Division B of the American Recovery and Reinvestment Act of 2009, Public Law No. 111-5 and all regulations promulgated thereunder.
   11. “Individual” means the person who is the subject of the PHI and includes a person who qualifies as a personal representative in accordance with 45 C.F.R. § 164.502(g).
   12. “PHI” means Protected Health Information that is provided by Covered Entity to Business Associate or created or received by Business Associate on behalf of Covered Entity.
   13. “Privacy Rule” means the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. part 160 and part 164, subparts A and E.
   14. “Protected Health Information” or “PHI” shall have the meaning set forth at  45 CFR § 160.103, limited to that  information created, received, maintained or transmitted by Business Associate from or on behalf of Covered Entity.
   15. “Required by Law” has the same meaning as the term “‘required by law” in 45 C.F.R. § 164.103.
   16. “Secretary” means the Secretary of the U.S. Department of Health and Human Services or his or her designee.
   17. “Security Incident” has the same meaning as the term “security incident” in 45 C.F.R. § 164.304.
   18. “Security Rule” means the Security Standards and Implementation Specifications at 45 C.F.R. part 160 and part 164, subpart C.
   19. “Unsecured Protected Health Information” or “Unsecured PHI” means PHI that is not secured through the use of a technology or methodology that the Secretary specifies in guidance renders PHI unusable, unreadable, or indecipherable to unauthorized Individuals, such as the guidance set forth in 74 Fed. Reg. 19006 (April 27, 2009) and updated in 74 Fed. Reg. 42740 (August 24, 2009).
   20. Remaining Terms
       .  Capitalized terms used, but not otherwise defined, in this BAA have the meaning ascribed to them in HIPAA, the Privacy Rule, the Security Rule or the HITECH Act.
2. PERMITTED USES AND DISCLOSURES OF PHI
   1. Agreement Uses and Disclosures
      .  Business Associate may use or disclose PHI for purposes of performing its obligations and functions under the Agreement, provided that such use or disclosure would not violate the Privacy Rule if done by Covered Entity.
   2. Other Permitted Uses
      .  Business Associate may use PHI:  (i) for the proper management and administration of the Business Associate; (ii) to carry out the legal responsibilities of the Business Associate; and (iii) for the provision of Data Aggregation services relating to the Health Care Operations of Covered Entity.  Business Associate may de-identify PHI from the Covered Entity’s use of the product licensed pursuant to the Agreement and may use the de-identified PHI to generate depersonalized usage data, statistics, and other aggregate and non-aggregate information, and may use and share such de-identified PHI for any lawful purpose.
   3. Other Permitted Disclosures
      .  Business Associate may disclose PHI for the purposes described in Section 2.2 above if:  (i) the disclosure is Required by Law; or (ii) Business Associate obtains reasonable written assurance from the person or entity to whom it discloses the PHI that the PHI will remain confidential and will be used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person or entity, and the person or entity notifies Business Associate of any instances of which it is aware in which the confidentiality of the PHI has been breached.
3. OBLIGATIONS OF BUSINESS ASSOCIATE
   1. Compliance with Privacy Rule.  Business Associate shall comply with all applicable provisions of the Privacy Rule in carrying out its obligations under the Agreement and this BAA.  Further, to the extent Business Associate is to carry out any of Covered Entity’s obligations under subpart E of 45 CFR 164, Business Associate agrees to comply with the requirements of such subpart that apply to Covered Entity in the performance of such obligations.
   2. Prohibition on Unauthorized Use or Disclosure
      .  Business Associate shall not use or disclose PHI except as permitted by this BAA or as Required by Law.
   3. Minimum Necessary
      1. Business Associate shall limit its use and disclosure of PHI under this BAA to the “minimum necessary,” as set forth in guidance that the Secretary will issue regarding what constitutes “minimum necessary” under the Privacy Rule.  Until the issuance of such guidance, Business Associate shall limit its use and disclosure of PHI, to the extent practicable, to the Limited Data Set (as that term is defined in 45 C.F.R. § 164.514(e)(2)), or, if needed, to the minimum necessary to accomplish the Business Associate’s intended purpose.  Business Associate may in good faith determine what constitutes the minimum necessary to accomplish the intended purpose of any disclosure of PHI.
      2. Paragraph (a) above does not apply to:  (1) disclosures to or requests by a health care provider for treatment; (2) uses or disclosures made to the Individual; (3) disclosures made pursuant to an authorization as set forth in 45 C.F.R. § 164.508; (4) disclosures made to the Secretary under 45 C.F.R. part 160, subpart C; (5) uses or disclosures that are Required by Law as described in 45 C.F.R. § 164.512(a); and (6) uses or disclosures that are required for compliance with applicable requirements of the Privacy Rule.
   4. Safeguarding PHI; Security Regulations
      . Business Associate shall use appropriate administrative, physical, and technical safeguards and comply with the Security Rule with respect to Electronic PHI to prevent the use or disclosure of PHI other than as provided for by this BAA.
   5. Mitigation
      .  Business Associate shall mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a Security Incident or a use or disclosure of PHI by Business Associate in violation of this BAA.
   6. Reporting
      .  In the event that Business Associate becomes aware of a use or disclosure of PHI by Business Associate that is not permitted under this BAA, Business Associate shall report such use or disclosure to the Covered Entity promptly in writing and in any event, within ten (10) days of becoming aware of the use or disclosure.  Business Associate agrees to report to Covered Entity in writing any Security Incident of which it becomes aware, except that, for purposes of this reporting requirement the term “Security Incident” does not include inconsequential incidents that occur on a frequent basis such as scans or “pings” that are not allowed past Business Associate’s firewall.  Notwithstanding this Section 3.7, the Business Associate’s reporting obligations regarding any ARRA Breach are set forth in Article IV. 
   7. Subcontractors
      . Business Associate shall ensure that all subcontractors or agents of Business Associate that create, receive, maintain or transmit PHI on behalf of the Business Associate agree in writing to the same restrictions and conditions that apply through this BAA to Business Associate with respect to such information.  Business Associate shall ensure that all agents, including subcontractors, to whom it provides Electronic PHI, agree in writing to implement reasonable and appropriate safeguards to protect such Electronic PHI.
   8. Access.
      1. Within twenty (20) days of a request from Covered Entity, Business Associate shall furnish the PHI contained in a Designated Record Set that will enable the Covered Entity to  respond to an Individual’s request for inspection or copies of PHI about the Individual pursuant to 45 CFR § 164.524.
      2. In the event an Individual requests access to PHI directly from Business Associate, Business Associate shall forward such request to the Covered Entity immediately and take no direct immediate action on any such request.  If the Covered Entity determines that an Individual is to be granted access to PHI, then Business Associate shall cooperate with the Covered Entity to provide to any Individual, at the Covered Entity’s direction, any PHI requested by such Individual.
   9. Amendment.
      1. If the Covered Entity requests that Business Associate amend any Individual’s PHI or a record regarding an Individual contained in a Designated Record Set, then Business Associate shall provide the relevant PHI to the Covered Entity for amendment and incorporate any such amendments in the PHI as required by 45 C.F.R. §164.526.
      2. In the event an Individual requests directly to Business Associate that PHI be amended, Business Associate shall forward such request to the Covered Entity within twenty (20) days of Business Associate’s receipt of such request and shall take no direct immediate action on the request.
   10. Records Availability
       .  Business Associate shall make its internal practices, books and records relating to the use and disclosure of PHI available to the Secretary for purposes of determining Covered Entity’s compliance with the Privacy Rule.
   11. Accounting of Disclosures.
       1. If the Covered Entity requests that Business Associate furnish an accounting of disclosures of PHI made by Business Associate regarding an Individual during the six (6) years prior to the date on which the accounting was requested, then Business Associate shall, within twenty (20) days of such request, make available to the Covered Entity such information as is in Business Associate’s possession and is required for the Covered Entity to make the accounting required by 45 C.F.R. §164.528.
       2. In the event an Individual requests an accounting of disclosures directly from Business Associate, Business Associate shall within ten (10) days forward such request to the Covered Entity and shall take no direct action on the request.
4. ARRA BREACH NOTIFICATION.  
   If Business Associate becomes aware of an ARRA Breach, Business Associate shall notify the Covered Entity of the ARRA Breach as soon as reasonably possible.  Business Associate shall carry out on behalf of Covered Entity any breach notification obligations imposed on Covered Entity under HIPAA or state breach notification laws and arising from services performed under the Agreement.
5. TERM AND TERMINATION
   1. Term
      .  This BAA is effective upon the effective date of the Agreement, and except for the rights and obligations set forth in this BAA specifically surviving termination, shall terminate automatically on the date the Agreement terminates.
   2. Termination for Cause
      .  Notwithstanding any provision in this BAA, if Covered Entity reasonably determines that Business Associate has breached any provision of this BAA or otherwise violated HIPAA, the Privacy Rule, the Security Rule or the HITECH Act, Covered Entity shall provide written notice to Business Associate with an opportunity for Business Associate to cure the breach or end the violation within thirty (30) business days of such written notice, unless cure is not possible.  If Business Associate fails to cure the breach or end the violation within the specified time period or cure is not possible, this BAA and the Agreement shall automatically and immediately terminate, unless termination is infeasible.
6. GENERAL PROVISIONS
   1. Effect
      .  The terms and provisions of this BAA supersede any other conflicting or inconsistent terms and provisions in any agreements between the parties, including all exhibits or other attachments thereto and all documents incorporated therein by reference.
   2. Amendment
      .  Business Associate and the Covered Entity agree to amend this BAA to the extent necessary to allow either party to comply with HIPAA, the Privacy Rule, the Security Rule, or the HITECH Act.  All such amendments shall be made in a writing signed by both parties.
   3. No Third Party Beneficiaries
      .  This BAA is intended for the benefit of Business Associate and Covered Entity only.  Nothing express or implied is intended to confer or create, nor be interpreted to confer or create, any rights, remedies, obligations or liabilities to or for any thirdparty beneficiary, including without limitation Individuals who are the subject of PHI.
   4. Assignment.  Neither party may assign this BAA in whole or in part without the prior written consent of the other party.  Notwithstanding the foregoing, Business Associate may assign or transfer this BAA to an affiliate pursuant to a corporate reorganization, or to a third party in connection with a merger, amalgamation, consolidation, business combination or other similar transaction, or a sale of substantially all of its assets or business.  This BAA and all of the provisions contained hereunder shall be binding upon and enure to the benefit of the parties and their successors and permitted assigns.
   5. Interpretation
      .  Any ambiguity in this BAA shall be resolved in favor of a meaning that permits Covered Entity and Business Associate to comply with HIPAA, the Privacy Rule, the Security Rule, and the HITECH Act.