We use cookies to ensure the accessibility and functioning of our services, to analyze our visitors' behavior and to personalize their experience.
Update your preferences.
AcceptDeny
No items found.

HIPAA Business Associate Agreement

Last updated Janurary 16, 2025

This HIPAA Business Associate Agreement (“BAA”)is entered into by and between Employer or Customer (“Covered Entity”), and Paytient Technologies, Inc., (“Business Associate”) (each a “Party” and collectively, the “Parties”).  

Recitals

WHEREAS, Covered Entity has engaged Business Associate to perform Services for or on behalf of CoveredEntity pursuant to a services agreement (the “Master Agreement”);

WHEREAS, Covered Entity qualifies as a “covered entity,” as that term is defined under theHealth Insurance Portability and Accountability Act of 1996, as amended  and the regulations promulgated thereunder which include the Standards for the Privacy of Individually Identifiable HealthInformation (the “Privacy Rule”), the Standards for Electronic Transactions, and the Security Rule (45 C.F.R. Parts 160–64), and the Privacy provisions(Subtitle D) of the Health Information Technology for Economic and ClinicalHealth Act and its implementing regulations (the “HITECH Act”) (collectively“HIPAA”);

WHEREAS, in conjunction with the Master Agreement, Covered Entity may disclose to BusinessAssociate or Business Associate may have access to or create certain information of patients of Covered Entity which constitutes PHI, as defined below;

WHEREAS, as a covered entity, Covered Entity is required under HIPAA to enter into an agreement regarding the use and disclosure of PHI to individuals or entities providing services on its behalf, where the uses and disclosures are for purposes other than treatment;

NOW,THEREFORE, for mutual consideration, the sufficiency and delivery of which is acknowledged by the Parties, and upon the premises and covenants set forth herein, the Parties agree as follows:

1. Definitions.

Unless otherwise defined herein, terms used in this BAA shall have the meanings ascribed to them in HIPAA or the MasterAgreement between Covered Entity and Business Associate, as applicable.  

2. Obligations and Activities ofBusiness Associate.  

To the extent that Business Associate is provided with or creates any PHI on behalf of Covered Entity, BusinessAssociate agrees to comply with the provisions of HIPAA applicable to CoveredEntity, and in doing so, represents and warrants as follows: 

(a) Use or Disclosure.  Business Associate agrees to not use or disclose PHI other than as set forth in this BAA, the Master Agreement, or as required by law.

(b) Specific Use of Disclosure.  Except as otherwise limited by this BAA,Business Associate may use or disclose PHI:

(i) to perform data aggregation and other services required under the Master Agreement to assist Covered Entity in its operations, as long as such use or disclosure would not violate HIPAA if done by CoveredEntity, or HIPAA permits such use or disclosure by Business Associate; and

(ii) for the proper management and administration ofBusiness Associate or to carry out Business Associate’s legal responsibilities, provided that with respect to disclosures of PHI, such disclosure is required by law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.

(c) Minimum Necessary.  Business Associate agrees to take reasonable efforts to limit requests for, or uses and disclosures of, PHI to the extent practical, a limited data set, or otherwise to the minimum necessary to accomplish the intended request, use, or disclosure.

(d) Safeguards.  BusinessAssociate shall establish appropriate safeguards, consistent with HIPAA, that are reasonable and necessary to prevent any use or disclosure of PHI not expressly authorized by this BAA.

(i) To the extent that Business Associate creates, receives, maintains, or transmitsElectronic PHI, Business Associate agrees to establish administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the Electronic PHI that it creates, receives, maintains, or transmits on behalf of Covered Entity, as required by the Privacy Rule and Security Rule.

(ii) The safeguards established by Business Associate shall include securing PHI that it creates, receives, maintains, or transmits on behalf of Covered Entity in accordance with the standards set forth in Section 13402(h) of the HITECH Act and any guidance issued thereunder.

(iii) BusinessAssociate agrees to provide Covered Entity with such written documentation concerning safeguards as Covered Entity may reasonably request from time to time.

(e) Agents and Subcontractors.  BusinessAssociate agrees to obtain written assurances that any agents, including subcontractors, to whom it provides PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, agree to restrictions and conditions that are no less stringent than those that apply toBusiness Associate with respect to such PHI.

(f) Reporting. Within ten (10) business day of discovery byBusiness Associate, Business Associate agrees to notify Covered Entity in writing of any use or disclosure of, or Security Incident involving, PHI, including any Breach of Unsecured PHI, not provided for by this BAA or theMaster Agreement, of which Business Associate may become aware. Not withstanding the preceding, the parties acknowledge and agree that this Section constitutes notice by Business Associate to Covered Entity of the following: (i)  Business Associate shall not be required to report statutory exceptions to Breaches of Unsecured PHI (“Exclusions” as defined in 42 C.F.R. 164.402(l)) but will retain appropriate documentation and shall make it available to Covered Entity upon request with reasonable notice; and (ii) of the ongoing existence and occurrence of attempted but UnsuccessfulSecurity Incidents (as defined below) for which no additional notice to CoveredEntity shall be required.  “UnsuccessfulSecurity Incidents” shall be defined as pings and other broadcast attacks onBusiness Associate’s perimeter infrastructure or firewall; unsuccessful port scans; unsuccessful log-on attempts; unsuccessful denials of service; unsuccessful malware, virus, ransomware, and/or phishing attempts; and/or any combination of the above, so long as no such incident results in unauthorized access, use and/or disclosure of PHI.  

(i) In the notice provided to Covered Entity by Business Associate regarding unauthorized uses and/or disclosures of PHI, Business Associate shall describe the remedial or proposed mitigation efforts required under Section 2(g) of this BAA.

(ii) With respect to a Breach of Unsecured PHI, Business Associate agrees to include the identity of the individual(s) whose Unsecured PHI was Breached in the written notice provided to Covered Entity, to the extent known, and any additional information required by HIPAA.

(iii) BusinessAssociate agrees to cooperate with Covered Entity upon report of any suchBreach so that Covered Entity may refer such report to the appropriate CoveredEntity to provide the individual(s) affected by such Breach with proper notice as required by HIPAA.

(g) Mitigation.  BusinessAssociate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate resulting from a use or disclosure of PHI by Business Associate in violation of the requirements of this BAA or theMaster Agreement.

(h) Audits and Inspections.  Business Associate agrees to make its internal practices, books, and records, including policies and procedures, relating to the use and disclosure of PHI available to the Secretary, in a time and manner mutually agreed to by the Parties or designated by the Secretary, for purposes of the Secretary determining Covered Entity’s and the Covered Entities’ compliance with HIPAA.  

(i) Accounting. Business Associate agrees to document and report to Covered Entity, within tent (10) days of a request by Covered Entity,Business Associate’s disclosures of PHI so Covered Entity can refer the report to the appropriate Covered Entity in order for such Covered Entity to comply with its accounting of disclosure obligations in accordance with 45 C.F.R. §164.528.

(j) DesignatedRecord Set. While the Parties do not intend for BusinessAssociate to maintain any PHI in a designated record set, to the extent thatBusiness Associate does maintain any PHI in a designated record set, BusinessAssociate agrees to promptly make available to Covered Entity PHI for:

(i) Covered Entity to assist Covered Entities in complying with their access obligations in accordance with 45 C.F.R. § 164.524; and

(ii) Amendment to PHI as may be required for a Covered Entities to comply with their amendment obligations in accordance with 45 C.F.R. § 164.526.

(k) Business Associate As Agent. To the extent that Covered Entity carries out one or more obligations of Covered Entity under the Privacy Rule, Covered Entity will comply with the requirements of the Privacy Rule that apply to Covered Entity in performing such obligations.  

3. Obligations of Covered Entity.

(a) Covered Entity agrees to notify Business Associate of any limitation(s) in Covered Entity’s notice of privacy practices in accordance with 45 C.F.R. § 164.520, to the extent that such limitation may affectBusiness Associate’s use or disclosure of PHI.

(b) Covered Entity agrees to notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose PHI, to the extent that such changes may affect Business Associate’s use or disclosure of PHI.

(c) Covered Entity agrees to notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 C.F.R. § 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.

4. Term and Termination.                      

(a) Term.  This BAA shall become effective upon theEffective Date and, unless otherwise terminated as provided herein, shall remain in effect until the expiration or earlier termination of the MasterAgreement. 

(b) TerminationUpon Breach. Without limiting the termination rights oft he Parties pursuant to the Master Agreement, upon either Party’s knowledge of a material breach of this BAA by the other Party, the non-breaching Party shall notify the breaching Party of such breach and the breaching Party shall have thirty (30) days from the date of notification by the non-breaching Party to cure such breach.  In the event that such breach is not cured within such thirty (30) day period, or cure is infeasible, the non-breaching Party shall have the right to immediately terminate this BAA and those portions of the Master Agreement that involve the disclosure toBusiness Associate of PHI, or, if non severable, the Master Agreement.  

(c) Termination by Either Party.  Either Party may terminate this BAA upon provision of thirty (30) days’ prior written notice.

(d) Effect of Termination.                      

(i) To the extent feasible, upon termination of this BAA or the Master Agreement for any reason, Business Associate agrees, and shall cause any subcontractors or agents to agree, to return or destroy and retain no copies of all PHI received from, or created or received by Business Associate on behalf of, Covered Entity through its BAA with a Covered Entity.  Business Associate agrees to complete such return or destruction as promptly as possible and verify in writing within thirty (30) days of the termination of this BAA to Covered Entity that such return or destruction has been completed.

(ii) If it is not feasible to return or destroy such PHI,Business Associate agrees to provide Covered Entity notification of the conditions that make return or destruction of PHI not feasible. BusinessAssociate agrees to extend the protections of this BAA to such PHI for as long as Business Associate maintains such PHI.

5. Miscellaneous.

(a) RegulatoryReferences. A reference in this BAA to a section in thePrivacy Rule or Security Rule means the section as in effect or as amended.

(b) Amendment. TheParties acknowledge that the provisions of this BAA are designed to comply withHIPAA and agree to take such action as is necessary to amend this BAA from time to time as is necessary for Covered Entity to comply with the requirements ofHIPAA.  Regardless of the execution of a formal amendment of this BAA, upon a change in law that affects the rights or obligations of the Parties under this BAA, this BAA shall automatically be deemed amended to permit the Covered Entity and Business Associate to comply with HIPAA.

(c) Method of Providing Notice.  Any notice required to be given pursuant to the terms and provisions of this BAA shall be in writing and may be either personally delivered or sent by registered or certified mail in the United States Postal Service, Return Receipt Requested, postage prepaid, addressed to each Party at the addresses listed in the MasterAgreement currently in effect between Covered Entity and BusinessAssociate.  Any such notice shall be deemed to have been given if mailed as provided herein, as of the date mailed.

(d) Parties Bound. This BAA shall inure to the benefit of and be binding upon the Parties hereto and their respective legal representatives, successors, and assigns.  BusinessAssociate may not assign or subcontract the rights or obligations under thisBAA without the express written consent of Covered Entity.  Covered Entity may assign its rights and obligations under this BAA to any successor or affiliated entity.

(e) No Waiver. No provision of this BAA or any breach thereof shall be deemed waived unless such waiver is in writing and signed by the Party claimed to have waived such provision or breach.  No waiver of a breach shall constitute a waiver of or excuse any different or subsequent breach.

(f) Effect on Master Agreement. This BAA together with the Master Agreement constitutes the complete agreement between the Parties and supersedes all prior representations or agreements, whether oral or written, with respect to such matters.  In the event of any conflict between the terms of this BAA and the terms of the Master Agreement, the terms of this BAA shall control unless the terms of such Master Agreement a restricter, as determined by Covered Entity, with respect to PHI and compliance with HIPAA, or the Parties specifically otherwise agree in writing.  No oral modification or waiver of any of the provisions of this BAA shall be binding on either Party.  No obligation on either Party to enter into any transaction is to be implied from the execution or delivery of this BAA.

(g) Interpretation. Any ambiguity in this BAA shall be resolved to permit the Parties to comply with HIPAA and any subsequent guidance.

(h) NoThird Party Rights.  The terms of this BAA are not intended nor should they be construed to grant any rights, remedies, obligations, or liabilities whatsoever to parties other than BusinessAssociate and Covered Entity and their respective successors or assigns.

(i)Applicable Law.  This BAA shall be governed under the laws of the state of Missouri.