Sign in
Start Free

Business Associate Agreement

ReadySetConnect

RECITALS

WHEREAS, the Business Associate provides services to Covered Entities (e.g., clinics) and, in the course of providing such services, may use or disclose Protected Health Information (“PHI”) as defined in the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (“HIPAA”);

WHEREAS, the Subcontractor (ReadySetConnect) provides practice management technology services to the Business Associate that involve the storage, transmission, or processing of PHI on behalf of the Business Associate;

WHEREAS, Business Associate and Subcontractor intend to comply with HIPAA, the HITECH Act, and related regulations, including the Privacy Rule, Security Rule, and Breach Notification Rule;

NOW, THEREFORE, the parties agree as follows:

1. Definitions

Capitalized terms used but not otherwise defined in this Agreement shall have the meaning set forth in HIPAA
  • Protected Health Information (PHI): Individually identifiable health information transmitted or maintained in any form or medium.
  • Breach: As defined in 45 CFR § 164.402.
  • Security Incident: As defined in 45 CFR § 164.304.

Obligations of Subcontractor (Readysetconnect)

  • 2.1 Permitted Uses and Disclosures: Subcontractor may use or disclose PHI solely to provide ser
  • 2.2 Limitations: Subcontractor shall not use or disclose PHI other than as permitted or required by this Agreement or as required by law.
  • 2.3 Safeguards: Subcontractor shall implement appropriate administrative, technical, and physical safeguards to protect PHI, including compliance with the HIPAA Security Rule regarding Electronic PHI.
  • 2.4 Reporting of Incidents and Breaches: Subcontractor shall report to Business Associate any Security Incident upon discovery. In the event of a Breach of Unsecured PHI, Subcontractor shall notify Business Associate within ten (10) calendar days of discovery. The report shall include:
  • A description of the breach, including the date of occurrence and discovery
  • The type of PHI involved
  • Steps Individuals should take
  • Steps Subcontractor is taking to mitigate the breach
  • 2.5 Sub-subcontractors: Subcontractor shall ensure that any downstream third party (sub-subcontractor) that accesses PHI agrees in writing to comply with the same restrictions and conditions that apply to Subcontractor.
  • 2.6 Access to PHI: Subcontractor shall provide access to PHI in its possession to Business Associate or to an Individual as directed by Business Associate, to the extent required by 45 CFR § 164.524.
  • 2.7 Amendments: Subcontractor shall amend PHI in its possession upon request by Business Associate in accordance with 45 CFR § 164.526.
  • 2.8 Accounting of Disclosures: Subcontractor shall provide an accounting of disclosures as necessary for Business Associate to comply with 45 CFR § 164.528.
  • 2.9 Government Access: Subcontractor shall make its internal practices, books, and records available to the Secretary of HHS for HIPAA compliance determination.
  • 2.10 Minimum Necessary: Subcontractor shall limit its use and disclosure of PHI to the minimum necessary to perform its obligations.

3. Obligations of Business Associate (you)?

  • 3.1 Notice of Restrictions: Business Associate shall inform Subcontractor of any limitations, restrictions, or changes in PHI use or disclosure that may affect Subcontractor’s performance.
  • 3.2 No Impermissible Requests: Business Associate shall not request Subcontractor to use or disclose PHI in a way that would violate HIPAA.

4. Term and Termination

  • 4.1 Term: This Agreement is effective as of the Effective Date and shall remain in effect until terminated by either party or upon termination of the Business Associate’s use of ReadySetConnect.
  • 4.2 Termination for Cause: Either party may terminate this Agreement if the other party materially breaches it and fails to cure such breach within 30 days after written notice.
  • 4.3 Effect of Termination: Upon termination, Subcontractor shall return or securely destroy all PHI, if feasible. If not feasible, Subcontractor shall continue to safeguard PHI and limit further use/disclosure.

5. Miscellaneous

  • 5.1 Regulatory References: References to HIPAA include all amendments and implementing regulations.
  • 5.2 Amendments: This Agreement may be modified only in writing, signed by both parties.
  • 5.3 Interpretation: Any ambiguity shall be interpreted to allow compliance with HIPAA.
  • 5.4 Entire Agreement: This Agreement, together with the Terms of Service, constitutes the full agreement concerning PHI.
  • 5.5 Governing Law: This Agreement shall be governed by the laws of the State of [Insert State].
  • 5.6 Notices: All notices shall be in writing and sent to the address or contact information provided during registration.
Sign in
Start Free