Business Associate Addendum

 This Business Associate Agreement (“Agreement”) is entered into by and between Praktice, a Delaware professional corporation (“Business Associate”), and you (“Covered Entity”), and sets forth in writing certain understandings and procedures governing Praktice’s use of protected health information as that term is defined under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), and the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH”), and any regulations adopted under those laws by the United States Department of Health and Human Services and as those regulations may be amended from time to time.

The covered entity(stated above) represents and warrants that:

  • Has full legal authority to enter into this agreement

  • Has read and understood this agreement

  • Agrees to the terms and conditions of this agreement

If the covered entity does not have the legal authority to enter into this agreement or does not agree to these terms, do not accept the terms of this agreement.

Definitions

 

Any defined term which is not otherwise defined in this Agreement shall have the meaning ascribed to such term in the Terms and any capitalised term used in this Agreement, but not defined in either this Agreement or the Terms shall have the meaning set forth in HIPAA (as defined below)

  1. Breach: “Breach” shall mean the acquisition, access, use or disclosure of PHI in a manner not permitted by the Privacy Rule that compromises the security or privacy of PHI as defined, and subject to the exclusions set forth, in 45 C.F.R. § 164.402.

  2. Business Associate: “Business Associate” shall generally have the same meaning as the term “business associate” at 45 CFR 160.103, and in reference to the party to this agreement, shall mean Praktice.

  3. Covered Entity: “Covered Entity” shall generally have the same meaning as the term “covered entity” at 45 CFR 160.103, and in reference to the party to this agreement, shall mean ______________.

  4. Effective Date: “Effective Date” shall mean the date Covered Entity agrees to the Agreement.

  5. Electronic Protected Health Information: “Electronic Protected Health Information” or “Electronic PHI” shall have the same meaning as the term “electronic protected health information” in 45 C.F.R. § 160.103, limited to the information that Business Associate creates, receives, maintains, or transmits for or on behalf of Covered Entity under the Services Agreement.

  6. HIPAA Rules: “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.

  7. Privacy Rule: “Privacy Rule” shall mean the federal privacy regulations, as amended from time to time, issued pursuant to HIPAA and codified at 45 C.F.R. Parts 160 and 164 (Subparts A & E). 

  8. Security Rule: “Security Rule” shall mean the federal security regulations, as amended from time to time, issued pursuant to HIPAA and codified at 45 C.F.R. Parts 160 and 164 (Subparts A & C).

  9. Services Agreement: “Services Agreement” shall mean any present or future agreements, either written or oral, between Covered Entity and Business Associate under which Business Associate provides services to Covered Entity which involve the access, use or disclosure of PHI.

  10. Unsecured Protected Health Information: “Unsecured Protected Health Information” or “Unsecured PHI” shall have the same meaning as the term “unsecured protected health information” in 45 C.F.R. §164.402.

Obligations and Activities of Business Associate

  1. Use and Disclosure: Business Associate agrees not to use or disclose Protected Health Information other than as permitted by the Services Agreement or this Agreement, or as Required by Law. To the extent Business Associate is carrying out one or more of Covered Entity's obligations under the Privacy Rule pursuant to the terms of the Underlying Agreement or this Agreement, Business Associate shall comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of such obligation(s). 

  2. Appropriate Safeguards: Business Associate agrees to use reasonable and appropriate administrative, physical, and technical safeguards to prevent the use or disclosure of the Protected Health Information other than as provided for by the Services Agreement or this Agreement, consistent with the requirements of the Security Rule (with respect to Electronic PHI).

  3. Mitigation: Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate as a result of a use or disclosure of PHI by Business Associate in violation of this Agreement's requirements, including a Breach of Unsecured PHI.

  4. Reporting of Breaches and Impermissible Uses and Disclosures: Business Associate agrees to report to Covered Entity any: (i) Breach of Unsecured PHI in accordance with 45 C.F.R. § 164.410; and (ii) use or disclosure of PHI not provided for by this Agreement of which it becomes aware in accordance with 45 C.F.R. § 164.504.

  5. Reporting of Security Incidents: Business Associate agrees to report to Covered Entity any Security Incident of which it becomes aware of in accordance with 45 C.F.R. § 164.314; provided, however, continuing notice is hereby deemed provided, and no further notice will be provided, for Unsuccessful Security Incidents. For purposes of this Agreement, “Unsuccessful Security Incidents” shall include, but not be limited to, pings and other broadcast attacks on a firewall, unsuccessful login attempts, denial of service attacks, port scans, and any combination of the above, provided that no such incident results in unauthorised access, use, or disclosure of Electronic PHI. Business Associate’s obligation to report under this Section 2(d) is not and will not be construed as an acknowledgement by Business Associate of any fault or liability with respect to any use, disclosure, or Breach.

  6. Subcontractors: Business Associate agrees to ensure that any agent, including a subcontractor to whom it provides Protected Health Information, shall agree, in writing, to restrictions and conditions at least as stringent as those that apply to Business Associate under this Agreement, including complying with the applicable Security Rule requirements with respect to Electronic PHI.

  7. Company Access and Amendment: All Protected Health Information maintained by Business Associate in a Designated Record Set for Covered Entity will be available to Covered Entity, upon Covered Entity’s request, in a time and manner that reasonably allows Covered Entity to comply with the requirements under 45 C.F.R. §§ 164.524 and 164.526. Business Associate shall not be obligated to provide any such information directly to any Individual or person other than to the Covered Entity. To the extent an Individual makes an access and/or amendment request directly to Business Associate, Business Associate shall promptly forward the request to the Covered Entity.

  8. Minimum Necessary Requirement:  Business Associate agrees that when requesting, using or disclosing PHI in accordance with 45 C.F.R. § 502(b)(1) that such request, use or disclosure shall be to the minimum extent necessary, including the use of a "limited data set" as defined in 45 C.F.R. § 164.514(e)(2), to accomplish the intended purpose of such request, use or disclosure, as interpreted under related guidance issued by the Secretary from time to time.

  9. Amendment of PHI: Business Associate agrees to make PHI contained in a Designated Record Set available to Covered Entity for amendment pursuant to 45 C.F.R. § 164.526. If an individual makes a request for amendment pursuant to 45 C.F.R. § 164.526 directly to Business Associate, or inquires about his or her right to access, Business Associate shall forward it to Covered Entity. Any response to such request shall be the responsibility of Covered Entity. 

  10. Access to Books and Records: Business Associate agrees to make internal practices, books, and records available to the Secretary, in a time and manner designated by the Secretary, for purposes of the Secretary's determining Covered Entity’s or Business Associate’s compliance with the Privacy Rule; provided, however, that time incurred by Business Associate in complying with any such request to assess Covered Entity’s compliance that exceeds its normal customer service parameters shall be charged to Covered Entity at Business Associate's then-current standard hourly rate.

  11. Accounting: In the event that Business Associate makes disclosures of Protected Health Information to Individuals or any person other than to Covered Entity, it shall document the disclosure as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures in accordance with 45 C.F.R. §164.528, and shall provide such documentation to Covered Entity promptly upon request.

Permitted Uses and Disclosures by Business Associate 

  1. Use for Administration of Business Associate: Except as otherwise limited in this Agreement, Business Associate may use Protected Health Information obtained to provide the Services for the proper management and administration of Business Associate and to carry out the legal responsibilities of Business Associate.

  2. Disclosure for Administration of Business Associate: Except as otherwise limited in this Agreement, Business Associate may disclose Protected Health Information for the proper management and administration of Business Associate, provided that (i) disclosures are required by Law, or (ii) Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.

  3. Use for Data Aggregation Services to Company: Business Associate may provide data aggregation services relating to the health care operations of Company.

  4. De-identified Data: Business Associate may de-identify Protected Health Information in accordance with 45 C.F.R. §164.514 and use and disclose such de-identified data for its business purposes, including to provide reporting and other services to Covered Entity.

 

Obligations of Covered Entity

 

  1. Data Security: Covered Entity will use appropriate safeguards to maintain the confidentiality, privacy and security of PHI when transmitting it to Business Associate pursuant to this Agreement. Covered Entity agrees to comply with any data security safeguards assigned to Covered Entity in any Services Agreement.

  2. Privacy Notice: Covered Entity shall notify Business Associate of any limitation(s) in Covered Entity’s notice of privacy practices under 45 C.F.R. § 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of Protected Health Information.

  3. Changes of Permission of Individual: Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by Individual to use or disclose Protected Health Information, to the extent that such changes may affect Business Associate's use or disclosure of Protected Health Information.

  4. Restrictions on Use or Disclosure: Covered Entity shall notify Business Associate of any restriction to the use or disclosure of Protected Health Information that Covered Entity has agreed to in accordance with 45 C.F.R. § 164.522, to the extent that such restriction may affect Business Associate's use or disclosure of Protected Health Information.

  5. Requested Uses and Disclosures: Covered Entity agrees that it will not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under the Privacy Rule if done by Covered Entity.

  6. Permissions: Covered Entity warrants that it has obtained all necessary authorizations, consents, and other permissions that may be required under applicable law prior to placing data, including without limitation PHI, on Business Associate’s systems.

Term and Termination

 

  1. Term: The Term of this Agreement shall be effective as the Effective Date, and shall continue according to the terms of the Agreement or on the date Covered Entity terminates for cause as authorized in paragraph (b) of this Section, whichever is sooner.

  2. Termination for Cause: Business Associate authorizes termination of this Agreement by Covered Entity, if Covered Entity determines Business Associate has violated a material term of this Agreement and Business Associate has not cured the breach or ended the violation within thirty (30) days after written notice from Covered Entity of the violation and associated term of this Agreement.

  3. Obligations of Business Associate Upon Termination: Upon termination of this Agreement for any reason, eClinicalWorks, with respect to Protected Health Information received from Covered Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity, shall:

3.1 Retain only that PHI that is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities; 

3.2 Return to Covered Entity or, if agreed to by Covered Entity in writing, destroy the remainingPHI that the Business Associate still maintains in any form; 

3.3 Continue to use appropriate safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to ePHI to prevent use or disclosure of the PHI, other than as provided for in this Section 6, for as long as Business Associate retains the PHI; 

3.4 Limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI;

3.5 Return to Covered Entity or destroy the PHI retained by Business Associate when it is no longer needed by Business Associate for its proper management and administration or to carry out its legal responsibilities.

 

Miscellaneous

 

  1. Amendment: The Parties agree to take such action as is necessary to amend this Agreement to comply with the requirements of the HIPAA Rules and any other applicable law.

  2. Survival: The respective rights and obligations of Business Associate under section  “Term and Termination” of this Agreement shall survive the termination of this Agreement.

  3. Regulatory References: A reference in this Agreement to a section of the HIPAA Rules means the section as in effect or amended.

  4. Interpretation: Any ambiguity in this Agreement shall be interpreted to permit compliance with the HIPAA Rules.

  5. Counterparts: This Agreement may be executed in any number of counterparts which, when taken together, will constitute one original, and photocopy, facsimile, electronic or other copies shall have the same effect for all purposes as an ink-signed original. Each Party hereto consents to be bound by electronic, photocopy or facsimile signatures of such Party’s representative hereto.

  6. Complete Agreement: This Agreement constitutes the final, complete and exclusive agreement between the Parties with respect to its subject matter and supersedes all past and contemporaneous agreements, promises, and understandings, whether oral or written. This Agreement may not be amended or modified except by a writing signed by both Parties and identified as an amendment to this Agreement. 

  7. Severability: In the event any provision of this Agreement is held to be invalid or unenforceable, the remainder of this Agreement shall remain in full force and effect.

  8. Governing Law: Except to the extent preempted by federal law, this Agreement shall be governed by and construed in accordance with the laws of the state in which the Covered Entity's principal place of business is located. 

* If you are a patient, please contact your healthcare provider directly. Please do not send any sensitive personal or health information to Praktice.

WHO WE SERVE

RESOURCES

COMPANY

Contact Us
  • united-states
  • LinkedIn
  • Facebook
  • Twitter