Business Associate Agreement

Version: v1 · Business Associate: Mask of Janus LLC d/b/a Slad ("Slad") · Covered Entity: the practice accepting this Agreement ("Client") · Effective on electronic acceptance (the "Activation Date").

This Business Associate Agreement ("BA Agreement") governs Slad's handling of Protected Health Information ("PHI") created, received, maintained, or transmitted on behalf of Client in connection with Slad's clinical records and operations services (the "Services"). It supplements and is incorporated into the agreement under which Slad provides the Services (the "Agreement"). Capitalized terms not defined here have the meanings in the HIPAA Rules (45 CFR Parts 160 and 164) or the Agreement.

1. Definitions

"HIPAA Rules" means the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Parts 160 and 164. "Breach," "Security Incident," "Designated Record Set," "Required by Law," "Unsecured PHI," and other capitalized terms have the meanings given in the HIPAA Rules.

2. Obligations and Activities of Slad

  1. Limited use; minimum necessary. Slad will not use or disclose PHI other than as permitted by this BA Agreement or as Required by Law, and will limit PHI to the minimum amount reasonably necessary to accomplish the intended purpose.
  2. Safeguards. Slad will use appropriate administrative, physical, and technical safeguards — and comply with the HIPAA Security Rule with respect to electronic PHI — to protect the confidentiality, integrity, and availability of PHI and to prevent use or disclosure not permitted by this BA Agreement.
  3. Mitigation. Slad will mitigate, to the extent commercially practicable, any harmful effect known to Slad of a use or disclosure of PHI in violation of this BA Agreement.
  4. Reporting. Slad will report to Client: (a) any use or disclosure of PHI not permitted by this BA Agreement of which it becomes aware, without unreasonable delay; (b) any Breach of Unsecured PHI as required by 45 CFR 164.410, without unreasonable delay and in no event later than 60 calendar days after discovery; and (c) any successful Security Incident of which it becomes aware, within 60 calendar days. The parties acknowledge that unsuccessful Security Incidents (e.g., routine immaterial events such as pings, port scans, and failed log-in attempts that do not result in unauthorized access to PHI) occur frequently, and this Section serves as notice of them without further per-event reporting.
  5. Subcontractors. Slad will ensure that any subcontractor that creates, receives, maintains, or transmits PHI on Slad's behalf agrees in writing to restrictions and conditions at least as protective as those that apply to Slad under this BA Agreement.
  6. Access. Slad will make PHI in a Designated Record Set available to Client as needed to satisfy Client's obligations under 45 CFR 164.524, by making the hosted Services available to Client.
  7. Amendment. Slad will make PHI available for amendment and incorporate amendments as directed by Client under 45 CFR 164.526.
  8. Accounting. Slad will document disclosures of PHI and make available the information required for Client to respond to an accounting request under 45 CFR 164.528.
  9. Availability to HHS. Slad will make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of HHS for purposes of determining Client's compliance with the HIPAA Rules.
  10. Privacy Rule obligations. To the extent Slad carries out an obligation of Client under the Privacy Rule, Slad will comply with the requirements of the Privacy Rule that apply to Client in the performance of that obligation.

3. Permitted Uses and Disclosures by Slad

Slad may use or disclose PHI to perform the Services for or on behalf of Client, provided the use or disclosure would not violate the HIPAA Privacy Rule if done by Client, except as set out in Section 4.

4. Specific Use and Disclosure Provisions

  1. Management and administration. Slad may use PHI for the proper management and administration of Slad and to carry out Slad's legal responsibilities.
  2. Disclosure for management. Slad may disclose PHI for its proper management and administration only if the disclosure is Required by Law, or Slad obtains reasonable assurances that the recipient will hold the PHI confidentially, use or further disclose it only as Required by Law or for the purpose disclosed, and notify Slad of any breach of confidentiality.
  3. Data aggregation. Slad may use and disclose PHI to provide Data Aggregation services relating to the health care operations of Client as permitted by 45 CFR 164.504(e)(2)(i)(B).
  4. De-identification. Slad may create de-identified health information in accordance with the HIPAA Privacy Rule de-identification standards (45 CFR 164.514(a)–(b)) and may use and disclose such de-identified information for any purpose not prohibited by applicable law. De-identified information is not PHI; as between the parties, Slad owns the de-identified information it creates.

5. Obligations of Client

  1. Client will notify Slad of any limitation in its notice of privacy practices (45 CFR 164.520), any change in or revocation of permission by an individual, and any restriction on the use or disclosure of PHI Client has agreed to or is required to abide by (45 CFR 164.522), to the extent any of these may affect Slad's use or disclosure of PHI.
  2. Client will not request Slad to use or disclose PHI in any manner that would not be permissible under the HIPAA Privacy Rule if done by Client.

6. Term and Termination

  1. Term. This BA Agreement is effective on the Activation Date and remains in effect until all PHI is returned, destroyed, or protected under Section 6.4.
  2. Termination for cause. If a party materially breaches this BA Agreement, the non-breaching party may provide written notice describing the breach and an opportunity to cure; if the breach is not cured within 60 calendar days, the non-breaching party may terminate on 30 days' written notice.
  3. HIPAA change. If a change in the HIPAA Rules or related guidance means the relationship is no longer a business-associate relationship, either party may notify the other, and upon mutual agreement this BA Agreement terminates.
  4. Effect of termination. On termination for any reason, Slad will return or destroy all PHI it maintains on behalf of Client and retain no copies, in accordance with 45 CFR 164.504(e)(2)(ii)(I); this extends to PHI held by Slad's subcontractors. If return or destruction is infeasible, Slad will extend the protections of this BA Agreement to that PHI and limit further uses and disclosures to those that make return or destruction infeasible (which may include retention required by applicable law or Slad's records-retention policy, or PHI for which Client has not confirmed successful export).

7. Miscellaneous

  1. Remedies. If Slad breaches this BA Agreement, Client may exercise the rights and remedies available under the Agreement, subject to any applicable limitations of liability in the Agreement.
  2. Payment processing. This BA Agreement does not apply to activities that constitute payment processing within the meaning of Section 1179 of the Social Services Act (42 USC 1320d-8).
  3. Amendment. The parties will amend this BA Agreement as necessary to comply with the HIPAA Rules.
  4. Survival. Slad's obligations under Section 6.4 survive termination.
  5. Interpretation. Any ambiguity in this BA Agreement is resolved to permit the parties to comply with the HIPAA Rules. References to a section of the HIPAA Rules mean the section as in effect or as amended.
  6. Conflict. In the event of a conflict between this BA Agreement and the other provisions of the Agreement, this BA Agreement controls as to PHI.
  7. Governing law. This BA Agreement is governed by the law specified in the Agreement. [Confirm governing-law/venue with counsel.]

By checking the acceptance box at signup, Client agrees to this BA Agreement as of the date of acceptance.