THIS BUSINESS ASSOCIATE AGREEMENT (“BAA” or “Agreement”) is entered into between PicassoMD and User (collectively, “The Parties”). This BAA is effective on the date User electronically agrees to be legally bound by this BAA (“Effective Date”).
A.
Purpose. The purpose of this Agreement is to comply with the requirements of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and its implementing regulations, 45 C.F.R. parts 142 and 160-164, as may be amended, including the Privacy, Security, Breach Notification, and Enforcement Rules (the “HIPAA Rules”).
B.
Relationship. For purposes of this Agreement, User means the primary care provider, specialist provider, or administrative stuff. User is licensed to receive the Services offered by PicassoMD. The terms of that subscription are set forth in in the PicassoMD Terms of Use. By electronically signing the PicassoMD Terms of Use, User has agreed to be bound by its terms. The PicassoMD Terms of Use provide that in order to enable PicassoMD to provide the Services to User, PicassoMD has the right to extract, transmit, store or use information and data related to the Services, including medical notes, medical records, and patient information. Such medical notes and patient information are likely to constitute Protected Health Information (“PHI”), as that term is defined in the HIPAA Rules.
C.
Permitted Uses and Disclosures. The Parties may use or disclose PHI only as permitted or required by this BAA, or as otherwise required by law. The Parties may disclose PHI to, and permit the use of PHI by, their employees, contractors, agents, or other representatives only to the extent directly related to and necessary for the performance of the Services. Disclosure of PHI to and use of PHI by subcontractors, agents and other representatives is also subject to Section F below. When requesting PHI, The Parties will request only the minimum PHI necessary to perform the Services. The Parties will not use or disclose PHI in a manner that is inconsistent with the party’s obligations under the HIPAA Rules.
D.
Safeguards for the Protection of PHI. The Parties shall comply with Subpart C of 45CFR Part 164. The Parties shall maintain commercially appropriate security safeguards to ensure that PHI obtained from during the use of The Services, is not used or disclosed in violation of this BAA. The safeguards are designed to protect the confidentiality and integrity of PHI obtained from, accessed or created on behalf of The Parties. Security measures maintained by The Parties shall comply with the HIPAA Rules, and include those administrative, physical, and technical security safeguards necessary to protect PHI, including, without limitation, safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of all PHI that The Parties create, receive, maintain, or transmit.
E.
Reporting and Mitigating the Effect of Unauthorized Uses and Disclosures.
1.
PicassoMD has established and implemented, and User shall establish and implement, procedures and other reasonable efforts to mitigate, to the greatest extent possible, any harmful effects arising from any improper use or disclosure of PHI.
2.
The Parties shall comply with Section 13402 of the HITECH Act and implementing regulations, 45 CFR Part 164, Subpart D, as may be amended(collectively, the Breach Notification Rules). PicassoMD shall report any breach of unsecured PHI to The Party that provided the PHI within two (2) business days of completing its assessment and concluding that a breach has occurred. The Party that received thePHI from PicassoMD, Specialist and/or Primary Care Provider, shall report any breach of unsecured PHI to PicassoMD, within two (2) business days of completing its assessment and concluding that a breach has occurred. The Party that caused, or is responsible for, such breach, PicassoMD and/or User, shall provide all information regarding such breach, including an assessment of such breach, that is reasonably requested by another Party.
3.
If a breach is caused by User or its subcontractors or agents, PicassoMD may either: (i) require User to notify affected individuals in accordance with Breach Notification Rules; or (ii) notify the affected individuals directly, in which case User shall reimburse PicassoMD for all reasonable expenses associated with the notifications.
4.
If a breach is caused by PicassoMD or its subcontractors or agents, User may either: (i) require PicassoMD to notify affected individuals in accordance with Breach Notification Rules; or (ii) notify the affected individuals directly, in which case PicassoMD shall reimburse User for all reasonable expenses associated with the notifications.
F.
Subcontractors, Agents, and Representatives – Use and Disclosure of PHI. The Parties will enter into a written Business Associate Agreement with any subcontractor, agent, or other representative that creates, receives, uses, obtains, accesses, maintains, or transmitsPHI obtained created during the course of use of the Services. The BAA between User and PicassoMD and its subcontractors, agents or other representatives shall contain the same restrictions, conditions and requirements regarding the use and/or disclosure of PHI and safeguarding of PHI that apply to The Parties under this BAA. The Parties shall terminate any business associate relationship with a subcontractor, agent or representative if it knows of a pattern of activity or practice that constitutes a material breach or violation of the subcontractor's, agent’s or representative’s obligations, unless such material breach or violation has been cured to the reasonable satisfaction of The Parties.
Individual Rights. Pursuant to the Privacy Rule, User shall provide the following rights to individuals whose PHI is used to provide the Services:
1.
Right of Access. (a) User shall provide an individual or PicassoMD access to PHI, at the request of PicassoMD and in the time and manner designated by PicassoMD as required under 45 C.F.R. § 164.524. (b) PicassoMD shall provide an individual or User access to PHI, at the request of User and in the time and manner designated by User as required under 45 C.F.R. § 164.524.
2.
Right of Amendment. (a) User shall make any amendment(s) to PHI that PicassoMD directs or agrees to pursuant to 45 C.F.R. § 164.526 in the time and manner designated by PicassoMD. (b) PicassoMD shall make any amendment(s) to PHI that User directs or agrees to pursuant to 45 C.F.R. § 164.526 in the time and manner designated by User.
3.
Right to Accounting of Disclosures
a.
User shall document any disclosures of PHI that would be necessary to allow PicassoMD to respond to a request by an individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528, and shall forward a copy of such documentation to PicassoMD within ten (10) business days of PicassoMD’s request for such documentation. User shall provide to PicassoMD any further information requested by PicassoMD to enable PicassoMD to respond to a request by an individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528. To the extent User makes any disclosures on behalf of PicassoMD through an electronic health record as defined in Section 13400 of the HITECH Act, User will document all such disclosures of PHI as required under the HITECH Act and it’s implementing regulations, and will provide an accounting of such disclosures directly to an individual upon his/her request. User’s obligation to document disclosures made through an electronic health record and provide an accounting of such disclosures directly to individuals upon request shall be effective as of the date by which business associates are required to comply with Section 13405© of the HITECH Act or such later date specified by the Secretary of HHS.
b.
PicassoMD shall document any disclosures of PHI that would be necessary to allow Specialist or Primary Care Provider to respond to a request by an individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528, and shall forward a copy of such documentation to Specialist or Primary Care Provider within ten (10) business days of Specialist’s or Primary Care Provider’s request for such documentation. PicassoMD shall provide to Specialist or Primary Care Provider any further information requested by Specialist or Primary Care Provider to enable Specialist or Primary Care Provider to respond to a request by an individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528. To the extent PicassoMD makes any disclosures on behalf of Specialist or Primary Care Provider through an electronic health record as defined in Section 13400 of the HITECH Act, PicassoMD will document all such disclosures of PHI as required under the HITECH Act and it’s implementing regulations, and will provide an accounting of disclosures directly to an individual upon his/her request. PicassoMD’s obligation to document disclosures made through an electronic health record and provide an accounting of such disclosures directly to individuals upon request shall be effective as of the date by which business associates are required to comply with Section 13405(c) of the HITECH Act or such later date specified by the Secretary of HHS
G.
Use and Disclosure for The Parts' Purposes.
1.
Use. Except as otherwise limited in this Agreement, The Parties may each use PHI for the proper management and administration of The Parties or to carry out each of their legal responsibilities
2.
Disclosure. Except as otherwise limited in this Agreement, The Parties may disclose PHI for the proper management and administration of their respective business provided the disclosures are required by law, or The Parties obtain reasonable assurances from the person to whom the PHI is disclosed that it will remain confidential and be used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies PicassoMD or User of any instances of which it is aware in which the confidentiality of the PHI has been breached.
H.
Audit, Inspection and Enforcement by PicassoMD. With reasonable notice, PicassoMD may audit User to monitor compliance with this Agreement. User will promptly correct any violation of this Agreement found by PicassoMD and will certify in writing that the correction has been made. User will make its internal practices, books, records, and policies and procedures relating to the use and disclosure of PHI received from, or created or received by User on behalf of PicassoMD, available to the federal Department of Health and Human Services (HHS), the Office for Civil Rights (OCR), or to PicassoMD for purposes of monitoring compliance with the HIPAA Rules.
I.
Audit, Inspection and Enforcement by Specialist or Primary Care Provider. With reasonable notice, User may audit PicassoMD to monitor compliance with this Agreement. PicassoMD will promptly correct any violation of this Agreement found by User and will certify in writing that the correction has been made. PicassoMD will make its internal practices, books, records, and policies and procedures relating to the use and disclosure of PHI received from, or created or received by PicassoMD on behalf of User, available to the federal Department of Health and Human Services (HHS), the Office for Civil Rights (OCR), or to User for purposes of monitoring compliance with HIPAA and the HIPAA Rules.
K.
Term and Termination.
1.
Term and Termination. This Agreement commences on the Effective Date. Unless terminated earlier pursuant to this Section K, this BAA will remain in effect for the duration of all services provided by User and for so long as The Parties shall remain in possession of any PHI received or created during use of The Services, unless PicassoMD or User has agreed in accordance with Section K.2 that it is infeasible to return or destroy all PHI. PicassoMD may immediately terminate this Agreement if PicassoMD determines that User has breached a material term of this Agreement. User may immediately terminate this Agreement if User determines that PicassoMD has breached a material term of this Agreement. The Parties may also report the material breach to the Secretary of HHS or OCR.
2.
Effect of Termination. Upon termination of this BAA, The Parties will recover any PHI in the possession of their subcontractors, agents, or representatives. The Parties will destroy all such PHI plus all other PHI in its possession, and will retain no copies. If The Parties believe that it is not feasible to destroy the PHI as described above, PicassoMD shall notify User, and/or User shall notify PicassoMD, in writing. The Parties will ensure that any and all protections, requirements and restrictions contained in this BAA will be extended to any PHI retained after the termination of this BAA, and that any further uses and/or disclosures will be limited to the purposes that make the return or destruction of the PHI infeasible.
L.
Miscellaneous.
1.
Survival. The respective rights and obligations of the Parties under Sections I (Audit and Inspection Rights), K.2 (Effect of Termination), and L (Miscellaneous) will survive termination of this BAA indefinitely.
2.
Amendments; Waiver. This BAA constitutes the entire agreement between the Parties with respect to the HIPAA Rules. It may not be modified, nor will any provision be waived or amended, except in a writing duly signed by authorized representatives of User and/or PicassoMD. A waiver with respect to one event will not be construed as continuing, or as a bar to or waiver of any right or remedy as to subsequent events.
3.
Compliance with Privacy and Security Rules. Any ambiguity in this BAA shall be resolved in favor of a meaning that permits The Parties to comply with the HIPAA Rules. To the extent the HIPAA Rules are revised, this BAA shall be deemed automatically amended to the extent necessary to comply with such revisions.
4.
No Third Party Beneficiaries. Nothing expressed or implied in this BAA is intended to confer, nor shall anything herein confer, upon any other person, other than the User and PicassoMD, and their successors and assigns, any rights, remedies, obligations, or liabilities whatsoever.
5.
Notices. Any notice to be given under this BAA shall be made via U.S. Mail, commercial courier or electronic mail. Any such notice shall be deemed given when received at the proper address.