This HIPAA BUSINESS ASSOCIATE AGREEMENT ADDENDUM (the “BAA Addendum”), by and between Novadontics (hereinafter referred to as “Business Associate”) and the above-referenced Licensee (hereinafter referred to as “Covered Entity”), is hereby incorporated into the TOS, specifically by Section 8.6 thereof, and is effective as of the Effective Date of the Agreement. RECITALS
- Covered Entity and Business Associate are parties to one or more agreements (each such agreement, a “Covered Contract,” and collectively, the “Agreement”) pursuant to which Business Associate provides certain services to Covered Entity, and, in connection with those services, Covered Entity discloses to Business Associate certain health information (the “Protected Health Information” as defined in 45 CFR 160.103 that is subject to protection under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health Act, and certain regulations promulgated by the U.S. Department of Health and Human Services to implement certain provisions of HIPAA (herein “HIPAA Regulations” found at 45 CFR Parts 160-164), all as may be amended from time to time.
- Business Associate, as a recipient of Protected Health Information from Covered Entity, is a “Business Associate” as that term is defined in the HIPAA Regulations.
- Pursuant to the HIPAA Regulations, all Business Associates of the Covered Entity must, as a condition of receiving Protected Health Information in the course of doing business with Covered Entity, agree in writing to certain mandatory provisions regarding, among other things, the use and disclosure of Protected Health Information.
- The purpose of this Addendum is to satisfy the requirements of the HIPAA Regulations, including, but not limited to, 45 CFR §164.504(e), as the same may be amended from time to time.
- OBLIGATIONS OF THE PARTIES
- Definitions
Catch-all definition: The following terms used in this Agreement shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designed Record Set, Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Protected Health Information, Required By Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use. Specific definitions: (a) Business Associate. “Business Associate” shall generally have the same meaning as the term “Business Associate” at 45 CFR 160.103, and in reference to the party to this agreement, shall mean Novadontics. (b) Covered Entity. “Covered Entity” shall generally have the same meaning as the term “Covered Entity” at 45 CFR 160.103, and in reference to the party to this agreement, shall mean the Licensee named on one or more order forms or Subscription Agreements or Service Agreements. (c) HIPAA Rules. “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.
- OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE
Business Associate agrees to:
- (a) Not use or disclose protected health information other than as permitted or required by the Agreement or as required or permitted by law;
- (b) Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic protected health information, to prevent use or disclosure of protected health information other than as provided for by the Agreement; Access to Business Associate’s computer networks and systems and the Protected Health Information will be controlled via a user ID and password. BUSINESS ASSOCIATE IS NOT RESPONSIBLE FOR ANY UNAUTHORIZED USE OR DISCLOSURE OF A USER ID OR PASSWORD, OR FOR ANY BREACH OF THIS BAA ADDENDUM ARISING AS A RESULT OF ANY SUCH UNAUTHORIZED USE OR DISCLOSURE BY COVERED ENTITY.
- (c) Report to Covered Entity any use or disclosure of protected health information not provided for by the Agreement of which it becomes aware, including breaches of unsecured protected health information, and any security incident of which it becomes aware, as required by 45 CFR 164.400-414. Notifications from Novadontics to Covered Entity shall be in writing and will include the information required under 45 CFR 164.404(c). Covered Entity shall take all further actions under this subsection at its sole cost;
- (d) As timely as reasonably possible, and in accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information;
- (e) To the extent Business Associate maintains any protected health information in a designated record set, make available protected health information in a designated record set to the Covered Entity as necessary to enable Covered Entity to meet its obligations under 45 CFR 164.524;
- (f) To the extent Business Associate maintains any protected health information in a designated record set, make any amendment(s) to protected health information in a designated record set as directed or agreed to by the Covered Entity pursuant to 45 CFR 164.526, or take other measures as necessary to enable Covered Entity to meet its obligations under 45 CFR 164.526;
- (g) Maintain and make available the information required to provide an accounting of disclosures to the Covered Entity as necessary to enable Covered Entity to satisfy its obligations under 45 CFR 164.528;
- (h) To the extent the Business Associate is to carry out one or more of Covered Entity’s obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s); and
- (i) Make its internal practices, books, and records available to the Secretary of HHS for purposes of determining compliance with the HIPAA Rules.
III. PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE
- (a) Covered Entity and Business Associate agree that Business Associate may disclose protected health information to other business associates of Covered Entity for Business Associate’s performance of services contemplated in the Agreements at Covered Entity’s direction, provided that such other business associates have entered into agreements imposing the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information. In addition, Business Associate may use de-identified information as set forth in Section 3.4 of the Agreement.
- (b) Business Associate may use or disclose protected health information as required or permitted by law.
- (c) Business Associate agrees to make uses and disclosures consistent with Covered Entity’s minimum necessary policies and procedures. Business Associate will refer any requests for protected health information directly to Covered Entity for processing and resolution in accordance with this BAA Addendum Section IV.(d).
- (d) Business Associate may not use or disclose protected health information in a manner that would violate Subpart E of 45 CFR Part 164 if done by Covered Entity. However, Business Associate may use or disclose protected health information for its own management and administration and legal responsibilities as set forth in paragraphs (e), (f), or (g) below.
- (e) Business Associate may use protected health information for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate.
- (f) Business Associate may disclose protected health information for the proper management and administration of Business Associate or to carry out the legal responsibilities of the Business Associate, provided the disclosures are required by law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and used or further disclosed only as required or permitted by law or for the purposes for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
- (g) In addition to its rights under Agreement Section 3.4, Business Associate may provide data aggregation services relating to the health care operations of the Covered Entity.
- PROVISIONS FOR COVERED ENTITY TO INFORM BUSINESS ASSOCIATE OF PRIVACY PRACTICES AND RESTRICTIONS
- (a) Covered Entity shall notify Business Associate of any limitation(s) in the notice of privacy practices of Covered Entity under 45 CFR 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of protected health information.
- (b) Covered Entity shall notify Business Associate of any changes in, or revocation of, the permission by an individual to use or disclose his or her protected health information, to the extent that such changes may affect Business Associate’s use or disclosure of protected health information.
- (c) Covered Entity shall notify Business Associate of any restriction on the use or disclosure of protected health information that Covered Entity has agreed to or is required to abide by under 45 CFR 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of protected health information.
- (d) Covered Entity will be solely responsible for obtaining from its customers/patients all authorizations relating to the disclosure of Protected Health Information that are required under HIPAA to enable Business Associate and/or its subcontractors to facilitate communication between Covered Entity and its customers/patients and their family members and for Business Associate to otherwise perform its obligations under the Agreement. Covered Entity hereby represents and warrants to Business Associate that it will have received the necessary authorization from a customer/patient prior to the disclosure of such customer/patient’s Protected Health Information to Business Associate. Business Associate will forward to Covered Entity for processing and resolution any and all requests for information it may receive. Covered Entity will be solely responsible for responding to these requests.
- (e) Covered Entity shall promptly notify Business Associate of any breach of any HIPAA obligations that may affect Business Associate’s use or disclosure of protected health information.
- PERMISSIBLE REQUESTS BY COVERED ENTITY
Covered Entity shall not request Business Associate to use or disclose protected health information in any manner that would not be permissible under Subpart E of 45 CFR Part 164 if done by Covered Entity. Provided, however, that the Business Associate may use or disclose protected health information for, data aggregation or management and administration and legal responsibilities of the Business Associate as may be set forth in the Agreement or as permitted by law.
- TERM AND TERMINATION
- (a) Term. The Term of this BAA Addendum shall be effective as of the Effective Date of the Agreement, and shall terminate as set forth in the Agreement.
- (b) Termination for Cause. Business Associate authorizes termination of this BAA Addendum according to terms and conditions set forth in the Agreement.
- (c) Obligations of Business Associate Upon Termination.
Upon termination of this Agreement for any reason, Business Associate, with respect to protected health information received from Covered Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity, shall:
- 1) Retain only that protected health information which is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities;
- 2) Return to Covered Entity or, if agreed to by Covered Entity, destroy the remaining protected health information that the Business Associate still maintains in any form;
- 3) Continue to use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to electronic protected health information to prevent use or disclosure of the protected health information, other than as provided for in this Section, for as long as Business Associate retains the protected health information;
- 4) Not use or disclose the protected health information retained by Business Associate other than for the purposes for which such protected health information was retained and subject to the same conditions set out at paragraphs (e) and (f) above under “Permitted Uses and Disclosures by Business Associate” which apply prior to termination; and
- 5) Return to Covered Entity or, if agreed to by Covered Entity, destroy the protected health information retained by Business Associate when it is no longer needed by Business Associate for its proper management and administration or to carry out its legal responsibilities.
- (d) Survival. The obligations of Business Associate under this Section VI shall survive the termination of the BAA Addendum and the Agreement.
VII. MISCELLANEOUS
- (a) Regulatory References. A reference in this Agreement to a section in the HIPAA Rules means the section as in effect or as amended.
- (b) Amendment. The Parties agree that Business Associate may amend this BAA Addendum as is necessary from time to time in its discretion for compliance with requirements of the HIPAA Rules and any other applicable law.
- (c) Relationship of the Parties. Covered Entity and Business Associate agree that Business Associate’s services hereunder are being carried out as an independent contractor and not as an employee or agent of the Covered Entity.
- (d) Any ambiguity in this BAA Addendum shall be resolved to comply with the HIPAA Regulations. There are no third-party beneficiaries to this BAA Addendum.