BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement (“Agreement”) is effective as of March 1st, 2021 by and between FACEMYDOC INC. (“FMD”) and all present and future affiliates (hereinafter referred to as the “Business Associate”) and the licensed healthcare provider (hereinafter referred to as “Covered Entity”).
Business Associate and Covered Entity each sometimes individually referred to herein as a “Party” and collectively referred to herein as the “Parties”.
WHEREAS, the Parties wish to enter into or have entered into an arrangement (“Arrangement”) whereby Business Associate will provide certain services to Covered Entity and, in providing those services, Business Associate may have access to Protected Health Information (“PHI”)(defined below) and may maintain, transmit and receive Electronic Protected Health Information (“EPHI”)(defined below)(PHI and EPHI are collectively referred to herein as PHI or Protected Health Information; EPHI will be used when only EPHI is being referenced);
WHEREAS, Covered Entity and Business Associate intend to protect the privacy and provide for the security of any PHI which shall be disclosed to Business Associate pursuant to the Arrangement, in compliance with the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 (“HIPAA”) and regulations promulgated thereunder by the United States Department of Health and Human Services (“HIPAA Regulations”) and other applicable laws; and
WHEREAS, as part of the HIPAA Regulations, the Privacy and Security Rule (defined below) requires Business Associate to enter into a contract containing specific provisions intended to preserve the confidentiality and security of PHI obtained by Business Associate in the course of its business relationship with Covered Entity (defined below) prior to any disclosure of the PHI to Business Associate. The specific provisions are set forth in, but not limited to, Title 45, Sections 164.306, 164.308(b), 164.314(a) and (b), 164.502(e) and 164.504(e) of the Code of Federal Regulations and are applicable to this Agreement.
NOW THEREFORE, in consideration of the mutual promises below, and the exchange of PHI pursuant to the terms of this Agreement, the Parties agree as follows:
As used in this Agreement, the following terms shall have the indicated meaning. Capitalized terms
used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in 45
CFR Sections 160.103 and 164.501. The definitions below which set forth a reference to the Code of
Federal Regulations are defined HIPAA terms, and such definitions are incorporated herein as though
set forth in full. A change to the HIPAA Regulations which modifies any defined HIPAA term, or which alters the regulatory citation for the definition, shall be deemed incorporated into this Agreement.
1.1 Arrangement means the agreement, either with or without a written contract, between Covered Entity and Business Associate, whereby Business Associate provides or will provide certain services to Covered Entity and, in providing those services, may have access to PHI.
1.2 Authorization shall have the meaning given to the term under the Privacy and Security Rule, including, but not limited to, 45 CFR Section 164.508.
1.3 Business Associate shall mean FACEMYDOC INC., as defined. Where the term “business associate” appears without initial capital letters, it shall have the meaning given to such term under the Privacy and Security Rule, including, but not limited to, 45 CFR Section 160.103.
1.4 Covered Entity shall mean the licensed healthcare provider using the FMD platform and other services . It shall
also have the meaning given to the term under the Privacy and Security Rule, including, but not limited to, 45 CFR Section 160.103.
1.5 Data Aggregation shall have the meaning given to the term under the Privacy and Security Rule, including, but not limited to, 45 CFR Section 164.501.
1.6 Designated Record Set shall have the meaning given to the term under the Privacy and Security Rule, including, but not limited to, 45 CFR Section 164.501.
1.7 Electronic Protected Health Information (“EPHI”) shall have the meaning given to the term Electronic Protected Health Care Information under the Privacy and Security Rule, including, but not limited to, 45 CFR Section 160.103.
1.8 Health Care Operations shall have the meaning given to the term under the Privacy and Security Rule, including, but not limited to, 45 CFR Section 164.501.
1.9 Individual shall have the meaning given to the term under the Privacy and Security Rule, including, but not limited to, 45 CFR Section 164.501. It shall also include a person who qualifies as a personal representative in accordance with 45 CFR Section 164.502(g).
1.10 Privacy and Security Rule shall mean the Standards for Privacy of Individually Identifiable Health Information and the Security Standards for the Protection of Electronic Protected Health Information that is codified at 45 CFR parts 160 and 164.
1.11 Protected Health Information (“PHI”) means any information, whether oral or recorded in any form, or medium: (i) that relates to the past, present or future physical or mental condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual; and (ii)
that identifies the individual or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual, and shall have the meaning given to the term under the Privacy and Security Rule, including, but not limited to, 45 CFR Section 164.501.
1.12 Required by Law shall have the meaning given to the term under the Privacy and Security Rule, including but not limited to, 45 CFR Section 164.501.
1.13 Security Incident shall mean the attempted or successful unauthorized access, use, disclosure, modification, or destruction of EPHI, or interference with system operations in an information system.
1.14 Security Standards shall mean those security standards promulgated or to be promulgated pursuant to HIPAA and other applicable federal and state regulations or statutes.
2.0 Obligations of Business Associate
2.1 Use and Disclosure of Protected Health Information. Business Associate may use and disclose PHI only as required to satisfy its obligations under the Arrangement or this Agreement, as permitted herein, or as Required by Law, but shall not otherwise use or disclose any PHI. Business Associate shall not, and shall ensure that its directors, officers, employees, contractors and agents do not, use or disclose PHI in any manner that would constitute a violation of the Privacy and Security Rule if done by the Covered Entity, except that Business Associate may use PHI if necessary (i) for the proper management and administration of Business Associate, (ii) to carry out the legal responsibilities of Business Associate, or (iii) to provide Data Aggregation services relating to the Health Care Operations of the Covered Entity. Business Associate further represents that, to the extent it requests Covered Entity to disclose PHI to Business Associate, such request will only be for the minimum PHI necessary for the accomplishment of Business Associate’s purpose.
2.2 Safeguards Against Misuse of Information. Business Associate agrees to use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement.
2.3 Mitigation of Harmful Effects. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this Agreement.
2.4 Reporting of Violations. Business Associate shall, within thirty (30) days of becoming aware of any use or disclosure of PHI in violation of this Agreement by Business Associate or any of its officers, directors, employees, contractors or agents, report such use or disclosure to the Covered Entity.
2.5 Agreements by Third Parties. Business Associate agrees to ensure that any agent, including a subcontractor, to whom it provides or transmits PHI received from, or created or received by Business Associate on behalf of Covered Entity agrees to the same restrictions and conditions that apply through this Agreement to Business Associate
with respect to such information.
2.6 Access to Information. Business Associate shall provide access, at the request of an Individual, and in the time and manner Required by Law, to PHI in a Designated Record Set in order to meet the requirements of 45 CFR Section 164.524. Any denial of access to PHI determined by Business Associate shall be the responsibility of Business Associate, including resolution or reporting of all appeals and/or complaints arising therefrom.
2.7 Amendment of Protected Health Information. Business Associate shall make a determination on any authorized request by an Individual for amendment(s) to PHI in a Designated Record Set , in the time and manner Required by Law and in accordance with the requirements of 45 CFR Section 164.526. Any denial of amendment of PHI determined by Business Associate shall be the responsibility of Business Associate, including resolution or reporting of all appeals and/or complaints therefrom. Business Associate shall report all approved amendments or statements of disagreement/rebuttals in accordance with 45 CFR Section 164.526.
2.8 Accounting of Disclosures. Business Associate agrees to provide, in response to a request by an Individual for an accounting of disclosures of PHI, made in accordance with 45 CFR Section 164.528, an accounting of disclosures of PHI, other than disclosures excepted under 45 CFR Section 164.528(a). Such accounting will be made in the time and manner Required by Law, and, at a minimum, Business Associate shall provide the following information for each disclosure: (i) the date of the disclosure; (ii) the name of the entity or person who received the PHI and, if known,
the address of such entity or person; (iii) a brief description of the PHI disclosed; and (iv) a brief statement of the purpose of such disclosure which includes an explanation of the basis for such disclosure, or a copy of the written request for disclosure. In the event that an Individual’s request for an accounting is delivered directly to Covered
Entity, it shall within five (5) days forward such request to Business Associate so that Business Associate can comply with the request. Such information must be maintained by Business Associate and its agents and subcontractors for a period of six (6) years from the date of each disclosure. Business Associate shall promptly report all such requests and their resolution to Covered Entity.
2.9 Safeguarding EPHI. Business Associate agrees to:
2.9.1 Implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the EPHI that it creates, receives, maintains or transmits on behalf of the
Covered Entity in connection with this Agreement;
2.9.2 Ensure that any agent, including a subcontractor, to whom it provides such EPHI agrees to implement reasonable and appropriate safeguards to protect it; and
2.9.3 Report promptly in writing to the Covered Entity any Security Incident of which it becomes aware.
2.10 Auditing, Inspections and Enforcement. Upon reasonable notice, Business Associate agrees to make its internal practices, books and records relating to the use or disclosure of PHI available to the Secretary of the Department of Health and Human Services, or the Secretary’s designee, for purposes of determining Covered Entity’s compliance with the Privacy and Security Rule. Business Associate shall provide appropriate training regarding the requirements of this Agreement to any employee accessing, using or disclosing PHI and shall develop and implement a system of sanctions for any employee, agent or subcontractor who violates this Agreement.
The rest of this page intentionally left blank
2.11 Indemnification. Business Associate shall indemnify and hold harmless Covered Entity from and against any and all losses, expense, damage or injury that Covered Entity sustains as a result of, or arising out of a breach of this Agreement by Business Associate or its agents or subcontractors, including but not limited to any unauthorized
use or disclosure of PHI.
2.12 Notice of Request for Data. Business Associate agrees to notify Covered Entity within five (5) days of Business Associate’s receipt of any request, subpoena, or judicial or administrative order to disclose PHI. To the extent that Covered Entity decides to assume responsibility for challenging the validity of such request, subpoena
or order, Business Associate agrees to cooperate with Covered Entity in such challenge.
3.0 Covered Entity’s Obligations.
3.1 Delegation to Business Associate. As set forth in Sections 2.6, 2.7, and 2.8 of this Agreement, Covered Entity hereby delegates to Business Associate Covered Entity’s responsibility to provide access, amendment, and accounting of disclosures rights to Individuals with respect to PHI in the Designated Record Set in Business Associate’s possession. It is understood that Business Associate will interact directly with the Individual, up to and including resolution of any appeals or reporting of complaints under HIPAA, the HIPAA Regulations, or applicable federal or state laws.
3.2 Notice of Privacy Practices. Upon request, Covered Entity shall provide Business Associate with the notice of any privacy practices that Covered Entity produces in accordance with 45 CFR Section 164.520, as well as any changes to such notice. Business Associate shall provide to Covered Entity its own notice, as well as any changes to such notice, and shall distribute such notice to Individuals who are members of the Covered Entity, unless Covered Entity, within a reasonable period of time after receipt of such notice, instructs Business Associate not to distribute the notice.
3.3 Revocation of Authorization by Individual. Covered Entity agrees to inform Business Associate of any change to, or revocation of, an Individual’s Authorization to use or disclose PHI to the extent that such change may affect Business Associate’s use or disclosure of PHI, within a reasonable period of time after Covered Entity becomes aware of such change.
3.4 Restrictions on Use and Disclosure. Covered Entity agrees to notify Business Associate of any restrictions to the use or disclosure of PHI agreed to by Covered Entity in accordance with 45 CFR Section 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.
3.5 Permissible Requests. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy and Security Rule if done by Covered Entity. Requests by Covered Entity for Business Associate to disclose PHI to a third party will be in writing and will specify whether or not the third party is also a business associate of Covered Entity. Business Associate may require that a Nondisclosure and Confidentiality Agreement be signed by the third party prior to disclosure.
3.6 Safeguards. Covered Entity shall use appropriate safeguards in accordance with 45 CFR Section 164.306 to ensure the security of PHI provided to Business Associate pursuant to the Arrangement and this Agreement, until such PHI is received by Business Associate.
3.7 Indemnification. Covered Entity shall indemnify and hold harmless Business Associate from and against any and all losses, expense, damage or injury that Business Associate sustains as a result of, or arising out of a breach of this Agreement by Covered Entity or its agents or subcontractors, including, but not limited to any unauthorized use or
disclosure of PHI.
3.8 Notice of Security Incidents. Covered Entity agrees to report promptly in writing to the Business Associate any Security Incident of which it becomes aware.
4.0 Termination of Agreement
4.1 Term. This Agreement shall be effective from the Effective Date until all PHI provided by or received or created for Covered Entity is destroyed or returned to Covered Entity, or if it is infeasible to return or destroy PHI, protections are extended to such PHI in accordance with the terms of this Agreement. The term of this
Agreement shall also end upon termination of the underlying Arrangement, subject, however, to the requirements of this Section 4.0 for return or destruction of all PHI.
4.2 Termination Upon Breach of Provisions Applicable to Protected Health Information. Any other provision of this Agreement notwithstanding, this Agreement may be terminated by the non-breaching Party upon ten (10) days prior written notice to the other Party in the event that such Party materially breaches any obligation of this
Agreement and fails to cure the breach within such ten (10) day period; provided, however, that in the event that termination of this Agreement is not feasible, then the non-breaching Party shall have the right to report the other Party’s breach to the Secretary of the Department of Health and Human Services.
4.3 Return or Destruction of Protected Health Information Upon Termination. Upon termination of this Agreement and the Arrangement, Business Associate shall either return to Covered Entity or destroy all PHI in Business Associate’s possession or in the possession of its agents or subcontractors. Business Associate shall not retain any
copies of PHI. Notwithstanding the foregoing, if Business Associate determines that returning or destroying PHI is infeasible, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction infeasible. Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make return or destruction infeasible, for so long as Business Associate maintains such PHI. If Business Associate elects to destroy all PHI, it shall certify in writing to Covered Entity that such PHI has been destroyed.
4.4 Remedies. Notwithstanding any rights or remedies set forth in this Agreement or provided by law, each Party retains all rights to seek injunctive relief to prevent or stop the unauthorized use or disclosure of PHI by the other Party, the other Party’s agents or subcontractors, or any third party who has received PHI from either Party.
4.5 Judicial or Administrative Proceedings. Either Party may terminate this Agreement, effective immediately, if (i) the other Party is named as a defendant in a criminal proceeding for a violation of HIPAA, the HIPAA Regulations or other security or privacy laws, or (ii) a finding or stipulation that the other Party has violated any standard or requirement of HIPAA, the HIPAA Regulations or other security or privacy laws is made in any administrative or civil proceeding in which the Party has been joined.
5.1 Relationship of the Parties. None of the provisions of this Agreement are intended to create or shall be deemed to create any relationship between the Parties other than that of independent parties contracting with each other solely for the purposes of effecting the provisions of this Agreement and any other Arrangement between the Parties.
5.2 Ownership of Protected Health Information. The PHI and any related information created for or received from Covered Entity is, and will remain, the property of Covered Entity, including any and all forms thereof developed by Business Associate in the course of fulfilling its obligations pursuant to the Arrangement. Business Associate
agrees that it acquires no ownership rights to or title in PHI or any related information. Notwithstanding the foregoing, if Business Associate determines that returning or destroying PHI is infeasible, and that a copy must be kept by Business Associate, then
Section 4.3 of this Agreement shall govern Business Associate’s retention of a copy of such PHI.
5.3 No Third Party Beneficiaries. Nothing expressed or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person or entity, other than Covered Entity, Business Associate and their respective successors and assigns, any rights, remedies, obligations or liabilities whatsoever.
5.4 Amendment to Comply With Law. Business Associate and Covered Entity agree to amend this Agreement to the extent necessary to allow either Party to comply with the Privacy Standards, the Standards for Electronic Transactions, and the Security Standards (collectively, the “Standards”) promulgated or to be promulgated pursuant to HIPAA and other applicable federal or state regulations or statutes. Business Associate and Covered Entity will fully comply with all applicable Standards and other applicable federal or state regulations or statutes and will amend this Agreement to incorporate any provisions required by the Standards, such regulations or statutes.
5.5 Other Amendments. This Agreement may be amended or modified only in writing signed by the Parties.
5.6 Waiver. No change, waiver or discharge of any liability or obligation hereunder on any one or more occasions shall be deemed a waiver of performance of any continuing or other obligation, or shall prohibit enforcement of any obligation on any other occasion.
5.7 Survival. The respective rights and obligations of Business Associate under Section 4.3 of this Agreement shall survive the termination of this Agreement and the underlying Arrangement.
5.8 Notice. Any notice to the other party pursuant to this Agreement shall be deemed provided if sent by first class United States mail, postage prepaid, as follows:
To Business Associate: FaceMyDoc Inc.
761 Middle Country Rd.
Selden, NY 11784
The above addresses may be changed by giving notice of such change in the manner provided above for giving notice.
5.9 Effect on Arrangement. The provisions of this Agreement shall prevail over any provisions of the Arrangement that conflict with or are inconsistent with any provision of this Agreement. All other terms of the Arrangement shall remain in full force and effect.
5.10 Interpretation. This Agreement and the Arrangement shall be interpreted as broadly as necessary to implement and comply with the Privacy and Security Rule. The Parties agree that any ambiguity in this Agreement or the Arrangement shall be resolved in favor of a meaning that complies with and is consistent with the Privacy Rule.
5.11 Costs. Each Party, at its own expense, shall provide and maintain the personnel, equipment, hardware, software, services (including without limitation telecommunications services) and testing necessary to comply with the privacy and security provisions of this Agreement.