Last updated: August 26th, 2024
This Business Associate Agreement (the “BAA”) is incorporated by reference in the Codex Health Order Form (“Order Form”) entered into between you (“Covered Entity” for the purposes of this BAA) and Codex Health Inc (“Business Associate”). This effective date of this BAA (“Effective Date”) is the effective date of the Services Agreement (defined below). Covered Entity and Business Associate are collectively referred to as “Parties” in this BAA.
The purpose of this BAA is to comply with the Privacy, Security, Breach Notification and Enforcement Rules issued by the United States Department of Health and Human Services (“HHS”) under the Health Insurance Portability and Accountability Act of 1996 and the provisions of the Health Information Technology for Economic and Clinical Health Act, which is a part of the American Recovery and Reinvestment Act of 2009 (collectively referred to as “HIPAA”).
RECITALS
Covered Entity is required to comply with HIPAA’s requirements regarding the privacy and security of Protected Information, defined below.
By the Parties’ mutual execution of the Codex Health Order Form, Business Associate has entered into the Codex Health Services Agreement with Covered Entity (“Services Agreement”), into which this BAA is incorporated and pursuant to which Business Associate will render services to or on behalf of Covered Entity involving Protected Information and must comply with the requirements imposed upon it by HIPAA and this BAA.
NOW THEREFORE, in consideration of the mutual covenants, promises and agreements contained herein, the Parties agree as follows:
I. Definitions
A. The following terms shall have the same meaning as those terms are defined by HIPAA: Administrative Safeguards, Breach, Breach Notification Rule, Data Aggregation, Designated Record Set, Disclosure, Personal Information, Electronic Protected Health Information, Enforcement Rule, Individual, Information, Marketing, Minimum Necessary, Physical Safeguards, Privacy Rule, Protected Health Information (“PHI”), Required by Law, Secretary, Security, Security Incident, Security Rule, Subcontractor, Technical Safeguards, Unsecured Protected Health Information, Use, and Workforce Member.
B. The term Protected Information shall mean, for the purposes of this BAA, any or all of Protected Health Information, Electronic Protected Health Information, or Personal Information.
C. The term Business Day means Monday through Friday, except for legal public holidays specified in 5 U.S.C. 6103(a), or any other day declared to be a holiday by federal statute or executive order.
II. Permitted Uses and Disclosures of Protected Information by Business Associate. Business Associate must, in its capacity as a Business Associate to the Covered Entity:
A. Use and Disclose Protected Information to perform services on behalf of Covered Entity pursuant to the terms of the Services Agreement, provided that such Use or Disclosure would not violate HIPAA if done by Covered Entity.
B. Use and Disclose Protected Information for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate.
C. Use and Disclose Protected Information only in the manner permitted or Required by Law.
D. Obtain reasonable assurances from the Person or Entity to whom it Discloses Protected Information that the Protected Information will remain confidential and be Used or further Disclosed only as permitted or Required by Law, or for the purpose for which it was Disclosed to the Person or Entity, and that the Person or Entity will notify Business Associate of any instances of which it is aware where the confidentiality of the Protected Information has been compromised.
E. Provide Data Aggregation services relating to the health care operations of the Covered Entity. Business Associate may de-identify any or all Protected Information created or received by Business Associate under this BAA, and provided the de-identification conforms to the requirements of the HIPAA Rules, such de-identified data may be used, disclosed, and retained by Business Associate as permitted by applicable law.
III. Obligations of Business Associate. Business Associate must, in its capacity as a Business Associate to the Covered Entity, comply with the following obligations:
A. Comply with Law. Business Associate must Use and Disclose Protected Information in compliance with all applicable provisions of HIPAA, as amended from time to time. Business Associate acknowledges that its failure to comply with HIPAA or other statutory duties could result in civil and criminal penalties under 42 USC §§ 1320d-5 & 1320d-6.
B. Proper Uses and Disclosures. Business Associate must not Use or Disclose Protected Information other than as permitted by the terms of this BAA or the Services Agreement, or as Required by Law. Business Associate will comply with all obligations imposed by HIPAA applicable to Covered Entity when Using and Disclosing Protected Information on behalf of Covered Entity.
C. Appropriate Safeguards. Business Associate must implement and maintain appropriate safeguards to protect the confidentiality, integrity and availability of Protected Information that it creates, receives, maintains, stores, processes or transmits on behalf of Covered Entity. Appropriate safeguards include all Administrative, Physical and Technical Safeguards of the Security Rule and shall include technologies and methodologies prescribed by the Secretary of HHS in applicable HIPAA regulations. Business Associate acknowledges that it has implemented such safeguards and complies with all applicable policy, procedure, and documentation requirements set forth in HIPAA. The provisions of this section shall be in force unless Protected Information is de-identified in conformance to the requirements of the HIPAA Rules.
D. Reporting of Improper Uses or Disclosures, Security Incidents and Breaches.
(1) Improper Uses or Disclosures. Business Associate shall give written notice to Covered Entity of any Use or Disclosure of PHI not provided for by this BAA or the Services Agreement no later than three (3) Business Days of becoming aware of such improper Use or Disclosure. To the extent the required information is available, a full written report will be provided to Covered Entity no later than five (5) Business Days from the date Business Associate becomes aware of the improper Use or Disclosure. Such report shall be supplemented promptly as new information becomes available.
(2) Security Incident. Business Associate shall give written notice to Covered Entity of any successful Security Incident no later than three (3) Business Days of becoming aware of such Security Incident, regardless of whether the incident constitutes a Breach as defined in 45 CFR §164.402. To the extent the required information is available, a full written report will be provided to the Covered Entity no later than five (5) Business Days from the date Business Associate becomes aware of the incident. Such report shall be supplemented promptly as new information becomes available.
(3) Breach of Unsecured PHI. In the event of a Breach of Unsecured PHI that Business Associate accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, Uses or Discloses on behalf of Covered Entity, Business Associate shall give written notice of such Breach to Covered Entity no later than three (3) Business Days of discovering such Breach. A Breach shall be treated as discovered by Business Associate at the point when Business Associate’s Workforce Member, Subcontractor or agent is aware, or would be aware by exercising reasonable diligence, of the Breach. To the extent the required information is available, a full written report will be provided to Covered Entity no later than five (5) Business Days from the date Business Associate discovered the Breach. Such report shall be supplemented promptly as new information becomes available.
(4) Breach of Protected Information. In the event of a Breach of Protected Information which Business Associate has been contracted to maintain, store, or process on behalf of Covered Entity, Business Associate shall give written notice of such Breach to Covered Entity no later than three (3) Business Days of discovering such Breach. To the extent the required information is available, a full written report will be provided to Covered Entity no later than five (5) Business Days from the date Business Associate becomes aware of the Breach. Such report shall be supplemented promptly as new information becomes available. Business Associate shall cooperate with Covered Entity in any ensuing investigation of the Breach, including by sharing with the Covered Entity information relevant to the Breach.
(5) Reports. The full written reports required above shall include, at a minimum, to the extent that the information is known or available to Business Associate:
(a) Identification of each Individual whose Protected Information has been, or is reasonably believed to have been, improperly Used or Disclosed;
(b) Description of what happened, including the date of the improper Use or Disclosure, Security Incident, Breach of Unsecured PHI, or Breach of Protected Information and the date of its discovery;
(c) Description of the types of Protected Information that were involved;
(d) Steps affected individuals should take to protect themselves from potential harm;
(e) Information about the cause of the improper Use or Disclosure, Security Incident, Breach of Unsecured PHI, or Breach of Protected Information and who received the Protected Information;
(f) Description of Business Associates’ investigation and responses;
(g) Actions taken by Business Associate to prevent any further improper Use or Disclosure of Protected Information;
(h) Actions taken by Business Associate to mitigate any deleterious effect of the improper Use or Disclosure of Protected Information; and
(i) Additional information reasonably requested by the Covered Entity.
(6) Mitigation. Business Associate shall, in consultation with Covered Entity, mitigate, to the extent practicable, any harmful effect to Covered Entity from an improper Use or Disclosure, Security Incident, Breach of Unsecured PHI, or Breach of Protected Information caused by Business Associate in violation of the requirements of this BAA or Services Agreement.
E. Minimum Necessary. Business Associate shall only Use and Disclose the minimum amount of Protected Information necessary to accomplish its requirements under the terms of this BAA and the Services Agreement.
F. Access to and Amendment of PHI. If an Individual makes a request for access or for amendment of PHI directly to Business Associate, Business Associate shall forward such request to Covered Entity in writing within five (5) Business Days of its receipt of the request. Covered Entity will be responsible for responding to such requests in accordance with HIPAA. However, to the extent Business Associate maintains PHI in a Designated Record Set, Business Associate shall, at the request of Covered Entity and as specifically directed by the Covered Entity, make the PHI available to Covered Entity in compliance with 45 CFR §§164.524 or make amendments to PHI in accordance with 45 CFR §164.526.
G. Accounting of Disclosures. Business Associate agrees to document Disclosures of PHI to the extent necessary to allow Covered Entity to respond to a request by an Individual for an accounting of disclosures in accordance with 45 CFR §164.528. At a minimum, such documentation shall include the date of the Disclosure, the name of the entity or person who received PHI and, if known, the address of the entity or person, a brief description of the PHI Disclosed; and a brief statement of the purpose of the Disclosure that reasonably informs the Individual of the basis for the Disclosure. This documentation will be retained for a period of six (6) years following the Disclosure unless it is transferred to the Covered Entity at the termination of this BAA or the Services Agreement. Upon request by Covered Entity, Business Associate shall provide such documentation to Covered Entity within five (5) Business Days of Covered Entity’s request. In the event that an Individual submits a request for an accounting of disclosures directly to Business Associate, Business Associate shall forward such request to Covered Entity in writing within five (5) business days of its receipt of such request. It will be Covered Entity’s responsibility to prepare and deliver any such accounting of disclosures to the Individual.
H. Audits, Inspection, and Enforcement. Within ten (10) Business Days of Covered Entity’s written request, Business Associate shall allow Covered Entity to conduct a reasonable inspection of the facilities, systems, books, records, agreements, and policies/procedures relating to Business Associate’s Use and Disclosure of Covered Entity’s Protected Information for the purpose of determining whether Business Associate is in compliance with this BAA. The fact that Covered Entity inspects, or fails to inspect, does not relieve Business Associate of its responsibility to comply with this BAA, nor does Covered Entity’s failure to detect an unsatisfactory practice constitute acceptance of such practice or a waiver of Covered Entity’s enforcement of rights under this BAA.
I. Governmental Access to Records. Business Associate agrees to make internal practices, books, records, and policies/procedures relating to its Use and Disclosure of Covered Entity’s PHI pursuant to this BAA available to the Secretary, in a time and manner indicated by the Secretary for purposes of the Secretary determining Covered Entity’s HIPAA compliance.
J. Training. Business Associate agrees to provide timely, adequate training concerning HIPAA to its Workforce Members.
K. Marketing. Business Associate shall Use and Disclose Protected Information for Marketing only as expressly directed in writing by Covered Entity.
L. Sale of PHI. Business Associate is prohibited from selling Covered Entity’s Protected Information.
M. Business Associate’s Agents/Subcontractors. Business Associate shall ensure that any agent, including a Subcontractor, to whom it provides Covered Entity’s Protected Information, agrees in writing to the same terms and obligations that apply to Business Associate through this BAA.
N. Prevention of Identity Theft. To the extent Business Associate is a service provider who provides service directly to a financial institution or creditor, Business Associate shall perform all services and conduct all activities under this BAA and the Service Agreement in accordance with reasonable policies and procedures which are designed to identify, prevent, and mitigate identity theft in accordance with the standards established by 16 CFR Part 681 and other applicable law. Business Associate shall provide such policies and procedures to Covered Entity upon request.
O. Exporting PHI: Business Associate will not export, nor will it permit its agents and Subcontractors to export Covered Entity’s Protected Information beyond the borders of the United States of America without prior written approval from Covered Entity.
IV. Obligations of Covered Entity. Covered Entity must, in its capacity as a Covered Entity, comply with the following obligations:
A. Not Use or Disclose Protected Information in any manner that violates HIPAA or other applicable federal and state laws.
B. Not request Business Associate to Use or Disclose Protected Information in any manner that violates HIPAA or other applicable federal and state laws.
V. Term and Termination
A. Term. The term of this BAA shall be effective as of the Effective Date of the Services Agreement, and shall continue in effect until terminated as provided by the Services Agreement.
B. Termination for Cause. Upon Covered Entity’s knowledge of a material breach of this BAA by Business Associate, Covered Entity shall either provide an opportunity for Business Associate to cure the breach upon mutually agreeable terms or immediately terminate this BAA and the Services Agreement if cure is not possible or mutually agreeable terms cannot be reached.
C. Equitable Remedies. Business Associate acknowledges and agrees that Covered Entity may file an action for an injunction to enforce the terms of this BAA, in addition to any other remedy Covered Entity may have. Where Covered Entity has knowledge of any material breach by Business Associate, Covered Entity may take proceedings against Business Associate before any Court having jurisdiction to obtain an injunction or any legal proceedings to cure or stop such material breach.
D. Effect of Termination. Upon termination of this BAA, Business Associate shall return or destroy all Protected Information received from Covered Entity or created or received by Business Associate on behalf of Covered Entity, and shall retain no copies of the Protected Information, unless otherwise permitted by this BAA or the Services Agreement. This provision includes Business Associate’s return of all of Covered Entity’s Protected Information in the possession of Business Associate’s agents or Subcontractors. Business Associate shall destroy all Protected Information in accordance with the approved technologies and methodologies set out by the Secretary. In the event Business Associate believes that returning or destroying the Protected Information is infeasible, Business Associate shall provide Covered Entity with notification of the conditions that make return or destruction infeasible. Upon mutual agreement of the Parties that return or destruction of Protected Information is infeasible, Business Associate shall extend the protections of this BAA to such Protected Information and limit further Uses and Disclosures of such Protected Information to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such Protected Information.
VI. Amendment. The Parties agree to take such action as is reasonably necessary to amend this BAA from time to time to comply with the requirements of HIPAA or other applicable law.
VII. Miscellaneous
A. Interpretation. The provisions of this BAA shall prevail over any provisions in the Services Agreement that may conflict or appear inconsistent with any provision in this BAA. Any ambiguity in this BAA shall be resolved in favor of a meaning that permits Covered Entity to comply with HIPAA. If the provisions differ but are permitted by HIPAA, the provisions of this BAA shall control.
B. Survival. The obligations of Business Associate expressly set out in this BAA shall survive the termination of this BAA.
C. No Third-Party Beneficiaries. Nothing express or implied in this BAA is intended to confer, nor shall anything herein confer, upon any person other than Covered Entity, Business Associate and their respective successors or assigns, any rights, remedies, obligations or liabilities whatsoever.
D. Governing Law. This BAA shall be governed by and construed in accordance with the laws of the State of California.
