HIPAA Business Association Agreement


This Business Associate Agreement is entered into by and between Counsellor Exchange, Inc. (“Business Associate”) and Counselling Member (“Covered Entity”) (collectively, the “Parties”).

RECITALS

WHEREAS Covered Entity is required to comply with the administrative simplification section of the Health Insurance Portability and Accountability Act of 1996 (the “Act”) and its implementing regulations, including the Standards for Privacy of Individually Identifiable Health Information (the “Privacy Rule”) and the Security Standards for the Protection of Electronic Protected Health Information (the “Security Rule”), amended by the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”) and its implementing regulations, and as they may be further amended from time to time (collectively, “HIPAA”).

AND WHEREAS Business Associate, in the course of providing various services to Covered Entity, may have access to certain Protected Health Information (“PHI”) and may be deemed a business associate for certain purposes under HIPAA.

AND WHEREAS the Parties contemplate that Business Associate may obtain PHI, with Covered Entity’s knowledge and consent, from certain other business associates of Covered Entity that may possess such PHI.

AND WHEREAS Business Associate and Covered Entity are entering into this Business Associate Agreement (this “BAA”) to set forth Business Associate’s obligations with respect to its handling of the PHI, whether such PHI was obtained from another business associate of Covered Entity or directly from Covered Entity.

NOW, THEREFORE, for mutual consideration, the sufficiency and delivery of which is acknowledged by the Parties, and upon the premises and covenants set forth herein, the Parties agree as follows:

1. Definitions. Unless otherwise defined herein, capitalized terms used in this BAA shall have the meanings ascribed to them in HIPAA and/or the Master Services Agreement, Engagement Letter, Engagement Agreement, or any other agreement between the Parties setting forth their relationship (“Master Agreement”) between Covered Entity and Business Associate, as applicable.

2. Obligations and Activities of Business Associate. To the extent that Business Associate is provided with or creates any PHI on behalf of Covered Entity and is acting as a business associate of Covered Entity, Business Associate agrees to comply with the provisions of HIPAA applicable to business associates, and in doing so, represents and warrants as follows: 

(a) Use or Disclosure. Business Associate agrees to not use or disclose PHI other than as set forth in this BAA, the Master Agreement, or as required by law.

(b) Specific Use or Disclosure. Except as otherwise limited by this BAA, Business Associate may use or disclose PHI:

(i) to perform data aggregation and services required under the Master Agreement to assist Covered Entity in its operations, as long as such use or disclosure would not violate HIPAA if done by Covered Entity, or HIPAA permits such use or disclosure by a business associate; and

(ii) for the proper management and administration of Business Associate or to carry out Business Associate’s legal responsibilities, provided that with respect to disclosure of PHI, such disclosure is required by law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.

(c)Minimum Necessary. Business Associate agrees to take reasonable efforts to limit requests for, or uses and disclosures of, PHI to the extent practical, a limited data set, otherwise to the minimum necessary to accomplish the intended request, use, or disclosure.

(d) Safeguards. Business Associate shall establish appropriate safeguards, consistent with HIPAA, that are reasonable and necessary to prevent any use or disclosure of PHI not expressly authorized by this BAA.

(i) To the extent that Business Associate creates, receives, maintains, or transmits Electronic PHI, Business Associate agrees to establish administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the Electronic PHI that it creates, receives, maintains, or transmits on behalf of Covered Entity, as required by the Privacy Rule and Security Rule.

(ii) The safeguards established by Business Associate shall include securing PHI that it creates, receives, maintains, or transmits on behalf of Covered Entity in accordance with the standards set forth in Section 13402(h) of the HITECH Act and any guidance issued thereunder.

(iii) Business Associate agrees to provide Covered Entity with such written documentation concerning safeguards as Covered Entity may reasonably request from time to time.

(e) Agents and Subcontractors. Business Associate agrees to obtain written assurances that any agents, including subcontractors, to whom it provides PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, agree to the same restrictions and conditions that apply to Business Associate with respect to such PHI, including the requirement that it agree to implement reasonable and appropriate safeguards to protect Electronic PHI that is disclosed to it by Business Associate. To the extent permitted by law, Business Associate shall be fully liable to Covered Entity for any and all acts, failures, or omissions of Business Associate’s agents and subcontractors in any breach of their subcontracts or assurances to Business Associate as though they were Business Associate’s own acts, failures, or omissions.

(f)Reporting. Within seven (7) business days of discovery by Business Associate, Business Associate agrees to notify Covered Entity in writing of any use or disclosure of, or Security Incident involving, PHI, including any Breach of Unsecured PHI, not provided for by this BAA or the Master Agreement, of which Business Associate may become aware.

(i) In the notice provided to Covered Entity by Business Associate regarding unauthorized uses and/or disclosures of PHI, Business Associate shall describe the remedial or proposed mitigation efforts required under Section 2(g) of this BAA.

(ii) Specifically with respect to reporting a Breach of Unsecured PHI, Business Associate agrees to include the identity of the individual(s) whose Unsecured PHI was Breached in the written notice provided to Covered Entity, and any additional information required by HIPAA.

(iii) Business Associate agrees to cooperate with Covered Entity upon report of any such Breach so that Covered Entity may provide the individual(s) affected by such Breach with proper notice as required by HIPAA.

(g) Mitigation. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate resulting from a use or disclosure of PHI by Business Associate in violation of the requirements of this BAA or the Master Agreement.

(h) Audits and Inspections. Business Associate agrees to make its internal practices, books, and records, including policies and procedures, relating to the use and disclosure of PHI available to the Secretary of the Department of Health and Human Services, in a time and manner mutually agreed to by the Parties or designated by the said Secretary, for purposes of the said Secretary determining Covered Entity’s compliance with HIPAA.

(i)Accounting. Business Associate agrees to document and report to Covered Entity, within seven (7) days, Business Associate’s disclosures of PHI so Covered Entity can comply with its accounting of disclosure obligations in accordance with 45 C.F.R. § 164.528 and any subsequent regulations issued thereunder.

(j) Designated Record Set. While the Parties do not intend for Business Associate to maintain any PHI in a designated record set, to the extent that Business Associate does maintain any PHI in a designated record set, Business Associate agrees to promptly make available to Covered Entity PHI for:

(i) Covered Entity to comply with its access obligations in accordance with 45 C.F.R. § 164.524 and any subsequent regulations issued thereunder; and

(ii) amendment upon Covered Entity’s request and incorporate any amendments to PHI as may be required for Covered Entity to comply with its amendment obligations in accordance with 45 C.F.R. § 164.526 and any subsequent guidance.


3. Obligations of Covered Entity.

(a) Covered Entity agrees to adopt and abide by the Notice of Privacy Practices posted on Business Associate’s website. The said Notice of Privacy Practices may be modified by Business Associate from time to time, such modifications to be effective immediately upon posting of the revised Notice of Privacy Practices on Business Associate’s website. This BAA incorporates by reference the said Notice of Privacy Practices. The Notice of Privacy Practices will contain at the top of the first page the effective date.

(b) Covered Entity agrees to notify Business Associate of any limitation(s) in Covered Entity’s own notice of privacy practices in accordance with 45 C.F.R. § 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI.

(c) Covered Entity agrees to notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose PHI, to the extent that such changes may affect Business Associate’s use or disclosure of PHI.

(d) Covered Entity agrees to notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 C.F.R. § 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.

 

4. Term and Termination.

(a)Term. This BAA shall become effective upon the Effective Date (as hereinafter defined herein) and, unless otherwise terminated as provided herein, shall have a term that shall run concurrently with that of the last expiration date or termination of the Master Agreement.

(b) Termination Upon Breach. Without limiting the termination rights of the Parties pursuant to the Master Agreement, upon either Party’s knowledge of a material breach by the other Party to this BAA, including the Recitals of this BAA, the breaching Party shall notify the non-breaching Party of such breach and the breaching party shall have fourteen (14) days from the date of notification to the non-breaching party to cure such breach. In the event that such breach is not cured, or cure is infeasible, the non-breaching party shall have the right to immediately terminate this BAA and those portions of the Master Agreement that involve the disclosure to Business Associate of PHI, or, if nonseverable, the Master Agreement.

(c) Termination by Either Party. Either Party may terminate this BAA upon provision of thirty (30) days’ prior written notice.

(d) Effect of Termination.

(i) To the extent feasible, upon termination of this BAA or the Master Agreement for any reason, Business Associate agrees, and shall cause any subcontractors or agents to return or destroy and retain no copies of all PHI received from, or created or received by Business Associate on behalf of, Covered Entity. Business Associate agrees to complete such return or destruction as promptly as possible and verify in writing within thirty (30) days of the termination of this BAA to Covered Entity that such return or destruction has been completed.

(ii) If not feasible, Business Associate agrees to provide Covered Entity notification of the conditions that make return or destruction of PHI not feasible. Upon notice to Covered Entity that return or destruction of PHI is not feasible, Business Associate agrees to extend the protections of this BAA to such PHI for as long as Business Associate maintains such PHI.

 

5. Miscellaneous.

(a) Regulatory References. A reference in this BAA to a section in the Privacy Rule or Security Rule means the section as in effect or as amended.

(b) Amendment. The Parties acknowledge that the provisions of this BAA are designed to comply with HIPAA and agree to take such action as is necessary to amend this BAA from time to time as is necessary for Covered Entity to comply with the requirements of HIPAA. Regardless of the execution of a formal amendment of this BAA, the BAA shall be deemed amended to permit Covered Entity and Business Associate to comply with HIPAA.

(c) Parties Bound. This BAA shall inure to the benefit of and be binding upon the Parties hereto and their respective legal representatives, successors, and assigns. Business Associate may not assign or subcontract the rights or obligations under this BAA without the express written consent of Covered Entity. Covered Entity may assign its rights and obligations under this BAA to any successor or affiliated entity.

(d) No Waiver. No provision of this BAA or any breach thereof shall be deemed waived unless such waiver is in writing and signed by the Party claimed to have waived such provision or breach. No waiver of a breach shall constitute a waiver of or excuse any different or subsequent breach.

(e) Effect on Master Agreement. This BAA together with the Master Agreement constitute the complete agreement between the Parties and supersedes all prior representations or agreements, whether oral or written, with respect to such matters. In the event of any conflict between the terms of this BAA and the terms of the Master Agreement, the terms of this BAA shall control unless the terms of such Master Agreement are stricter, as determined by Covered Entity, with respect to PHI and compliance with HIPAA, or the Parties specifically otherwise agree in writing. No oral modification or waiver of any of the provisions of this BAA shall be binding on either party. No obligation on either party to enter into any transaction is to be implied from the execution or delivery of this BAA.

(f) Interpretation. Any ambiguity in this BAA shall be resolved to permit the Parties to comply with HIPAA and any subsequent guidance.

(g)No Third Party Rights. The terms of this BAA are not intended nor should they be construed to grant any rights, remedies, obligations, or liabilities whatsoever to parties other than Business Associate and Covered Entity and their respective successors or assigns.

(h) Applicable Law. This BAA shall be governed under the laws of the Commonwealth of Virginia without regard to conflicts of law provisions that would impose the laws of any other jurisdiction.

(i) Action by Covered Entity. Business Associate understands and acknowledges that any disclosure or misappropriation of any PHI in violation of this BAA will cause Covered Entity irreparable harm, the monetary amount of which may be difficult to ascertain, and therefore agrees that Covered Entity shall have the right to apply to a court of competent jurisdiction for specific performance and/or an order restraining and enjoining any such further disclosure or breach and for such other relief as Covered Entity shall deem appropriate.

(j) Action Against Covered Entity. Business Associate agrees to make itself and any agents, affiliates, subsidiaries, subcontractors, or employees assisting Business Associate in the fulfillment of its obligations under this BAA, available to Covered Entity, at no cost to Covered Entity, to testify as witnesses, or otherwise, in the event of litigation or administrative proceedings being commenced against Covered Entity, its directors, officers, or employees based upon claimed violation of HIPAA or other laws relating to security and privacy, except where Business Associate or its agents, affiliates, subsidiaries, subcontractors, or employees are a named adverse party.

(k) Method of Providing Notice. Any notice required to be given pursuant to the terms and provisions of this BAA shall be in writing and may be delivered or sent (i) by Business Associate to Covered Entity to the email address Business Associate has on file for Covered Entity in Covered Entity’s “My Account” settings on the Counsellor Exchange Website, or such other email address as Covered Entity may later provide to Business Associate, (ii) by Covered Entity from the email address Business Associate has on file for Covered Entity in Covered Entity’s “My Account” settings on the Counsellor Exchange Website, or such other email address as Covered Entity may later provide to Business Associate, to Business Associate to the following email address: info@counsellorx.com, or (iii) in accordance with the terms of the Master Agreement currently in effect between Covered Entity and Business Associate.

(l)Electronic Form. Covered Entity agrees that this BAA is provided only in electronic form.Covered entity is cautioned toprint a copy of this BAA for its records as future changes in hardware or software requirements may create a material risk that Covered Entity will not be able to continue to access and/or retain this electronic BAA. A printed version of this BAA and of any notice given in electronic form shall be admissible in judicial or administrative proceedings based upon or relating to this BAA to the same extent and subject to the same conditions as other business documents and records originally generated and maintained in printed form.

 

BUSINESS ASSOCIATE, BY POSTING THIS HIPAA BUSINESS ASSOCIATE AGREEMENT ON ITS WEBSITE, AGREES TO ALL OF THE PROVISIONS CONTAINED HEREIN.

 

COVERED ENTITY REPRESENTS THAT IT HAS READ THIS AGREEMENT AND THE NOTICE OF PRIVACY PRACTICES AND AGREES TO ALL OF THE PROVISIONS CONTAINED HEREIN.

 

 

THIS AGREEMENT IS EFFECTIVE AS OF THE TIME AND DATE THAT IT IS AGREED TO BY THE COVERED ENTITY (THE “EFFECTIVE DATE”).