Compliance

Business Associate Agreement

This Business Associate Agreement (this “Agreement”) is entered into as part of the signup (the “Effective Date”) by and between the Practice ("Practice”) and Patient Onboard, LLC (“Business Associate”).

WHEREAS, Business Associate performs services for or on behalf of the Practice (the “Services”) pursuant to terms of use (the “Underlying Agreement”), which Services involve the access, use and/or disclosure of Protected Health Information (as defined below); and

WHEREAS, the parties desire to enter into this Agreement in order to comply with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and its implementing regulations, as amended and in effect.

NOW THEREFORE, the parties agree as follows:

Definitions

Capitalized terms not otherwise defined in this Agreement shall have the same meaning as those terms in the HIPAA Privacy Rule and Security Rule (as defined below).

  • “Breach,” when capitalized, shall have the meaning set forth in 45 CFR § lo164.402 (including all of its subsections).
  • “Electronic Protected Health Information” or “EPHI” shall have the same meaning as the term “electronic protected health information” in 45 CFR § 160.103, limited to information that Patient Onboard, LLC creates, accesses, receives or maintains for or on behalf of the Practice.
  • “Protected Health Information” or “PHI” shall have the meaning set forth in in 45 CFR § 160.103, limited to information that Patient Onboard, LLC creates, accesses, receives or maintains for or on behalf of the Practice. PHI includes EPHI.
  • “Privacy Rule” means the Standards for Privacy of Individually Identifiable Health Information, codified at 45 CFR parts 160 and 164, Subparts A, D and E, as currently in effect.
  • “Security Rule” means the Standards for Security for the Protection of Electronic Protected Health Information, codified at 45 CFR parts 160 and 164, Subparts A and C, as currently in effect.
  • “Unsecured Protected Health Information” shall have the same meaning as the term “unsecured protected health information” in 45 CFR § 164.402, limited to such information accessed, created, received or maintained by Patient Onboard, LLC.

Scope of use and disclosure of PHI

  • Business Associate Status. Patient Onboard, LLC acknowledges that it is the Practice’s “business associate” as defined by HIPAA. Patient Onboard, LLC agrees to comply with the HIPAA regulations as they directly apply to Patient Onboard, LLC.
  • Performance of Service. Patient Onboard, LLC shall not access, use or further disclose PHI other than as permitted or required by this Agreement, to perform the Services pursuant to the Underlying Agreement or as Required by Law. Patient Onboard, LLC shall not access, use or disclose PHI in any manner that would violate HIPAA if such access, use or disclosure was done by the Practice.
    1. Uses and Disclosures Permitted By Law. Patient Onboard, LLC may use or disclose PHI: (A) as is necessary for the proper management and administration of Patient Onboard, LLC’s organization, and (B) to carry out the legal responsibilities of Patient Onboard, LLC; provided, however, that any permitted disclosure of PHI to a third party must be either Required By Law or subject to reasonable assurances obtained by Patient Onboard, LLC from the third party that PHI will be held confidentially, and securely, and used or disclosed only as Required By Law or for the purposes for which it was disclosed to such third party, and that any breaches of confidentiality of PHI which become known to such third party will be immediately reported to Patient Onboard, LLC.
    2. Statistical Aggregation. Patient Onboard, LLC shall not use PHI for any compilation or aggregation of data or for any commercial purpose whatsoever not set forth in this Agreement, unless permitted by the Practice in a written document.
    3. De-identification. Patient Onboard, LLC shall not use PHI to create de-identified PHI for any purpose not set forth in this Agreement, unless permitted by the Practice in a written document.
  • Minimum Necessary. Patient Onboard, LLC shall not access, use or disclose more than the minimum necessary PHI to perform or fulfill the intended permissible purpose, in accordance with this Agreement.
  • Privacy Rule. To the extent Patient Onboard, LLC carries out one or more of the Practice’s obligations under the HIPAA Privacy Rule, Patient Onboard, LLC shall comply with the requirements of HIPAA that apply to the Practice in the performance of such obligation(s).
  • Security Rule and Safeguards. Patient Onboard, LLC shall use safeguards that are appropriate and sufficient to prevent access, use or disclosure of PHI other than as permitted or required by this Agreement. Patient Onboard, LLC shall comply with the Security Rule with respect to EPHI, including implementing Administrative Safeguards, Physical Safeguards, and Technical Safeguards that reasonably and appropriately protect the Confidentiality, Integrity and Availability of EPHI.
  • Notification. Without unreasonable delay, Patient Onboard, LLC shall notify the Practice, in writing, of any use or disclosure of PHI not provided for by this Agreement of which Patient Onboard, LLC becomes aware. Without unreasonable delay, Patient Onboard, LLC shall report to the Practice in writing of any Security Incident of which it becomes aware in accordance with the Security Rule and Patient Onboard, LLC’s obligations under the same. Upon the Practice’s request, Patient Onboard, LLC shall provide a report of any and all impermissible uses, disclosures and/or Security Incidents.
  • Subcontractors. Patient Onboard, LLC shall ensure that any and all subcontractors that create, receive, maintain or transmit PHI on behalf of Patient Onboard, LLC agree, in writing, to the same restrictions and conditions that apply to Patient Onboard, LLC. Each subcontract agreement must include, without limitation, the provisions of this Agreement. Patient Onboard, LLC shall make such agreements with its subcontractors available to the Practice upon request.
  • Audit. Patient Onboard, LLC shall make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Patient Onboard, LLC on behalf of, the Practice available to the Secretary of Health and Human Services and/or the Practice, upon request, for purposes of determining and facilitating the Practice’s compliance with HIPAA.
    1. Patient Right to Review. Patient Onboard, LLC shall make PHI maintained in a Designated Record Set available to the Practice or, at the direction of the Practice, to an Individual, in accordance with §164.524 of the Privacy Rule.
    2. Patient Right to Amend. Patient Onboard, LLC shall make PHI available for amendment and incorporate any amendments to PHI maintained in a Designated Record Set at the direction of the Practice and in accordance with §164.526 of the Privacy Rule. the Practice shall be involved in any decision of Patient Onboard, LLC to amend the PHI of an Individual.
    3. Patient Right to Request Accounting. Patient Onboard, LLC shall document and make available to the Practice or, at the direction of the Practice, to an Individual, information relating to such Individual as is necessary for the Practice to respond to a request for an accounting of disclosures in accordance with §164.528 of the Privacy Rule.
  • Record keeping. Patient Right to Request Accounting. Patient Onboard, LLC shall document and make available to the Practice or, at the direction of the Practice, to an Individual, information relating to such Individual as is necessary for the Practice to respond to a request for an accounting of disclosures in accordance with §164.528 of the Privacy Rule.
  • Designated Record set. Patient Onboard, LLC agrees to provide PHI it maintains electronically in a Designated Record Set in an electronic form at the request of the Practice or an Individual.
    1. Notice to the Practice. Patient Onboard, LLC shall notify the Practice immediately in writing upon receiving a request from an Individual to review, copy or amend his or her medical record information or to receive an accounting of disclosures. Patient Onboard, LLC shall also provide the Practice with a prompt written report of the details of its handling of such requests.
  • Breach. Patient Onboard, LLC shall notify the Practice of breaches of unsecured PHI in accordance with the requirements of 45 CFR § 164.410. Such notification shall include, to the extent possible, the identification of each Individual whose PHI has been or is reasonably believed to have been accessed, acquired, used or disclosed during the Breach, along with any other information that the Practice will be required to include in its notification to an affected Individual, the media and/or the Secretary, as applicable, including, without limitation, a description of the Breach, the date of the Breach and its discovery, the types of Unsecured Protected Health Information involved and a description of Patient Onboard, LLC’s investigation, mitigation and prevention efforts.
  • Mitigation. Patient Onboard, LLC agrees to mitigate, to the extent practicable, any harmful effect that is known to Patient Onboard, LLC of a use or disclosure of PHI by Patient Onboard, LLC or a subcontractor or agent of Patient Onboard, LLC in violation of the requirements of this Agreement, the Privacy Rule, the Security Rule or other applicable federal or state law.

Practice obligation

  • Notice of Privacy Practices. the Practice shall notify Patient Onboard, LLC of limitation(s) in its notice of privacy practices to the extent such limitation affects Patient Onboard, LLC’s permitted uses or disclosures under this Agreement.
  • Individual Authorization. the Practice shall notify Patient Onboard, LLC of changes in, or revocation of, authorization by an Individual to use or disclose PHI, to the extent such changes affect Patient Onboard, LLC’s permitted uses or disclosures under this Agreement.
  • Restrictions. the Practice shall notify Patient Onboard, LLC of restriction(s) in the use or disclosure of PHI that the Practice has agreed to, to the extent such restriction affects Patient Onboard, LLC’s permitted uses or disclosures under this Agreement.

Terms & termination

  • Term. The Term of this Agreement shall become effective as of the Effective Date, and remain in effect until all PHI is returned or destroyed in accordance with this Section.
  • Termination for Cause. the Practice may terminate this Agreement immediately if the Practice, in its sole discretion, determines that Patient Onboard, LLC has violated a material term of this Agreement. the Practice, at its option and within its sole discretion, may (1) permit Patient Onboard, LLC take steps to cure the breach; and (2) in the event the Practice determines such cure is sufficient, elect to keep this Agreement in force.
  • Obligations of Patient Onboard, LLC Upon Termination. Upon termination of this Agreement for any reason, Patient Onboard, LLC shall promptly return to the Practice or destroy all PHI received from the Practice, or created or received by Patient Onboard, LLC on behalf of the Practice, that Patient Onboard, LLC still maintains in any form. Patient Onboard, LLC shall retain no copies of the PHI in any form. Upon request by the Practice, Patient Onboard, LLC shall promptly supply a certification executed by an officer (vice president level or above) of the Patient Onboard, LLC confirming that Patient Onboard, LLC has returned or destroyed all PHI and all copies thereof.
  • Survival. The obligations of Patient Onboard, LLC under this Section shall survive the termination of this Agreement.

Limitation of liability, indemnification, & insurance

  • Limitation of Liability. To the extent that Patient Onboard, LLC has limited its liability under the terms of the Underlying Agreement, whether with a maximum recovery for direct damages or a disclaimer against any consequential, indirect or punitive damages, or other such limitations, all limitations shall exclude damages to the Practice arising out of a breach of this Agreement by Patient Onboard, LLC or any Breach of PHI by Patient Onboard, LLC.
  • Indemnification. Patient Onboard, LLC agrees to indemnify, defend, and hold harmless the Practice and its directors, officers, affiliates, employees, agents, and permitted successors from and against any and all claims, losses, liabilities, damages, costs, and expenses (including reasonable attorneys’ fees) arising out of or related to Patient Onboard, LLC’s breach of its obligations under this Agreement, including, but not limited to a Breach of Unsecured Protected Health Information by Patient Onboard, LLC.
  • Insurance. Patient Onboard, LLC agrees at the request of the Practice, to obtain and maintain insurance coverage against the improper use and disclosure of PHI by Patient Onboard, LLC, naming the Practice as a named insured. Promptly following a request by the Practice for the maintenance of such insurance coverage, Patient Onboard, LLC will provide a certificate evidencing such insurance coverage.

Miscellaneous provisions

  • Notices. Notices will be deemed to have been received upon actual receipt, one business day after being sent by overnight courier service, or three business days after mailing by first-class mail, whichever occurs first. Any notice required or permitted under this Agreement will be given in writing and will be sent:
    • To the user via United States Postal Service to the address on file as part of their account.
    • To Patient Onboard, LLC via United States Postal Service to P.O. Box 65902, West Des Moines, IA 50265.
  • Governing law. This Agreement will be governed by, and construed in accordance with the laws of the state of Iowa without giving effect to choice of law provisions thereof.
  • Waiver. No delay or omission by either party to exercise any right or remedy under this Agreement will be construed to be either acquiescence or the waiver of the ability to exercise any right or remedy in the future. Failure of a party to insist upon strict adherence to any term or condition of this Agreement shall not be considered a waiver by that party of its right thereafter to insist upon strict adherence to that, or any other, term or condition of this Agreement. No waiver of any breach of any provision of this Agreement shall constitute a waiver of any prior, concurrent or subsequent breach of the same or any other provisions hereof, and no waiver shall be effective unless made in writing and signed by an authorized representative of the waiving party.
  • Severability. All provisions of this Agreement are separate and divisible, and if any part or parts of this Agreement are held to be unenforceable, the remainder of this Agreement will continue in full force and effect.
  • Amendments. The parties shall amend this Agreement from time to time by mutual written agreement in order to keep this Agreement consistent with any changes made to the HIPAA laws or regulations in effect as of the Effective Date and with any new regulations promulgated under HIPAA. the Practice may terminate this Agreement and, where appropriate, the Underlying Agreement in whole or in part if the parties are unable to agree to such changes by the compliance date for such new or revised HIPAA laws or regulations.
  • Interpretation. In the event of any conflict between the provisions of this Agreement and the Underlying Agreement, the provisions of this Agreement shall control. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits the parties to comply with HIPAA.
  • Automatic Amendment. This Agreement shall automatically incorporate any change or modification of applicable state or federal law as of the effective date of the change or modification. Patient Onboard, LLC agrees to maintain compliance with all changes or modifications to applicable state or federal law.
  • Interpretation. Any ambiguity in this Agreement shall be interpreted to permit compliance with the HIPAA Rules.
  • Independent contractor. The parties acknowledge and agree that Patient Onboard, LLC is an independent contractor. Nothing in this agreement shall be construed to create any partnership, joint venture, agency, or employment relationship of any kind between the parties. Notwithstanding the foregoing, to the extent that Patient Onboard, LLC is ever determined for any purpose to be an agent of the the Practice (under the Federal common law of agency or otherwise), Patient Onboard, LLC shall be acting outside of the scope of agency if Patient Onboard, LLC fails to notify the the Practice immediately if Patient Onboard, LLC violates or breaches any provision of this Agreement or violates the HIPAA Rules.