Business Associate Agreement
This Business Associate Agreement (this “Agreement”) is entered into by and between MH Sub I, LLC (“we”, “us”, “our”) and you (“Healthcare Provider”) who entered into a Service Agreement with us. This Agreement applies with respect to any and all Protected Health Information (PHI) that may be collected, accessed, used, processed or disclosed pursuant to our performance and Healthcare Provider’s receipt of services under the Service Agreement.
Pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as updated and amended by Subtitle D of the Health Information Technology for Economic and Clinical Health Act ( the “HITECH Act”), we may from time to time act as a business associate in the performance of services for Healthcare Provider under the Service Agreement. In such event, the Healthcare Provider is a covered entity. Pursuant to this Agreement, we and Healthcare Provider agree to access, use, process and disclose any such PHI in compliance with the requirements of HIPAA and the HITECH Act.
By accepting the terms of the Service Agreement or by using any service made available under the terms of the Service Agreement, Healthcare Provider accepts the term and conditions of this Agreement. Please note that we reserve the right, at our sole discretion, to change this Agreement from time to time. Healthcare Provider’s continued use of the services provided under the Service Agreement after any such change takes effect will be deemed to constitute Healthcare Provider’s acceptance of and agreement to the revisions to this Agreement.
1. Definitions. Capitalized terms not defined in this Agreement will be defined as provided in HIPAA, the HITECH ACT and their implementing rules.
2. Uses and Disclosures of PHI.
2.1 We may from time to time disclose PHI to Healthcare Provider in conjunction with Healthcare Provider’s receipt of services under the Service Agreement. For purposes of this Agreement, “Protected Health Information” (PHI) is limited to PHI, as defined in HIPAA, HITECH and their implementing rules, that is accessed, used, processed or disclosed pursuant to the Service Agreement.
2.2 Neither party will access, use, process or disclose such PHI for any purpose other than as permitted under this Agreement. Each party may access, use, process and disclose the PHI it receives for the proper management and administration of such party, to perform its obligations under and receive the benefits of the service delivered under the Service Agreement and to otherwise carry out its legal responsibilities; provided, however, that in all cases such use is permitted under applicable law. Either party may disclose PHI if the disclosure is required by law. Either party may also disclose PHI for the proper management and administration of the business of such party, provided it obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidentially and used or further disclosed only as required by law and for the purpose for which it was disclosed.
2.3 Each party will maintain appropriate safeguards including, but not limited to, administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the PHI.
2.4 If either party becomes aware of any unauthorized access to or use, processing or disclosure of unsecured PHI, it will so notify the other party. Such notice will contain: (i) the date of discovery of the unauthorized access, use, processing or disclosure; (ii) a listing of the identification of individuals and/or classes of individuals who are subject to the unauthorized access, use, processing or disclosure; and (iii) a general description of the nature of the unauthorized access, use, processing or disclosure. The party responsible for such unauthorized access, use, processing or disclosure will perform an appropriate risk assessment to determine whether the PHI has been compromised. In performing the risk assessment, such party will consider a combination of factors such as: (a) the nature and extent of the PHI affected, (b) the unauthorized person who impermissibly used the PHI or to whom the PHI was impermissibly disclosed; (c) whether PHI was acquired or viewed and (d) the extent to which the risk to the PHI has been mitigated. The results of such risk assessment will be provided to other party. We are not responsible for monitoring Healthcare Provider’s own access to or use, processing or disclosure of PHI.
2.5 In the event of an unauthorized access to or use, processing or disclosure of unsecured PHI, the party responsible for such unauthorized access to or use, processing or disclosure of unsecured PHI will use reasonable efforts to mitigate, to the extent practicable, any harmful effect arising from such unauthorized access to or use, processing or disclosure of unsecured PHI.
2.6 The parties will cooperate with respect to any required notifications that must be made to the individuals or the media with respect to any unauthorized access to or use, processing or disclosure of unsecured PHI.
2.7 With respect to any Subcontractor or agent to whom either party provides PHI, the disclosing party will first contractually obligate such Subcontractor or agent to agree to protect such PHI pursuant to terms and conditions at least as protective as the terms of this Business Associate Agreement.
2.8 We may de-identify any and all PHI that is in its possession or control provided that we implement de-identification criteria in accord with applicable law. De-identified information does not constitute PHI and is not subject to the terms of this Agreement.
3. Compliance with Law
3.1 Each party is responsible for its own compliance with any and all existing or subsequent laws, whether by statute, regulation, common law, or otherwise, related to its access to or use, processing or disclosure of PHI. Healthcare Provider agrees that it will have and maintain appropriate consents from data subjects, as may be necessary, for us to access, use, process and disclose PHI in accordance with its delivery of services under the Service Agreement and as otherwise permitted under this Agreement.
3.2 The parties will provide each other only the minimum amount of PHI necessary for us to perform the services described in the Service Agreement.
3.3 Upon request by the Department of Health and Human Services (“HHS”), each party will make available to HHS the internal practices, books, and records of such party relating to the use and disclosure of PHI for purposes of ensuring compliance with the provisions of HIPAA and the HITECH Act.
3.4 In the event that we receive an inquiry from an individual for access to or the right to amend PHI, it will advise Healthcare Provider of that communication and the request. The parties will cooperate in making PHI available to the individual and in making the requested amendment of PHI. The Healthcare Provider will retain and make available on request information required to provide an accounting of disclosures in accordance with the provisions of HIPAA and the HITECH Act.
4. Termination and Destruction of PHI.
4.1 In the event that either party reasonably determines that the other has accessed, used, processed or disclosed unsecured PHI in a manner inconsistent with a material term of this Agreement, it will provide written notice of such breach to the other party and specify in reasonable detail any such breach. Upon receipt of such written notice, the receiving party will have 30 days to achieve compliance with this Agreement or to establish a reasonable schedule for compliance with this Agreement. In the event that a party fails or refuses to comply with this obligation, the other party may terminate this Agreement upon written notice. If either party reasonably determines that the other party has accessed, used, processed or disclosed PHI in a manner inconsistent with this Agreement following written notice of a prior breach, the non-breaching party may immediately terminate the Agreement.
4.2 Within thirty (30) days of termination of this Agreement, we will return to Healthcare Provider, or destroy, the PHI made available to us by the Healthcare Provide that is in our control and take reasonable steps to ensure that we have no means of identifying or reidentifying individuals who are the subject of such PHI. We will also obligate any Subcontractor to return to us, or destroy, any such PHI in the Subcontractor’s control.
4.3 In the event that we are unable to return or destroy the PHI in its control, we will continue to protect such PHI from further disclosure.
5. Limitation of Liability. UNDER NO CIRCUMSTANCES WILL WE OR OUR AFFILIATES, OR ANY OF ITS OR THEIR RESPECTIVE DIRECTORS, OFFICERS, SHAREHOLDERS, PROPRIETORS, PARTNERS, EMPLOYEES, AGENTS, REPRESENTATIVES, SERVANTS, ATTORNEYS, PREDECESSORS, SUCCESSORS OR ASSIGNS, BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, PUNITIVE, EXEMPLARY OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, LOST PROFITS AND DAMAGES THAT RESULT FROM INCONVENIENCE, DELAY, OR LOSS OF USE) ARISING OUT OF ITS ACCESS TO OR USE, PROCESSING OR DISCLOSURE OF PHI, EVEN IF IT OR THEY HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages; thus, this limitation may not be applicable.
6. Indemnification. Healthcare Provider will defend, indemnify, and hold harmless us and our affiliates, and its and their respective directors, officers, shareholders, proprietors, partners, employees, agents, representatives, servants, attorneys, predecessors, successors and assigns, from and against any and all claims, proceedings, damages, injuries, liabilities, losses, costs and expenses (including reasonable attorneys’ fees and litigation expenses), relating to or arising from Healthcare Provider’s (i) unauthorized access to or use, processing or disclosure of PHI, (ii) breach of this Agreement or (iii) violation of applicable law.
7. Notices. All notices and other communications required or permitted to be given by us to you under this Agreement will be deemed to be properly given on the date when sent by email to the email address for you last recorded by us or sent by postal mail or private courier to the postal address for you last recorded by us. All notices and other communications required or permitted to be given by you to us under this Agreement will be deemed to be properly given on the date when sent by postal mail or private courier to 909 N. Sepulveda Blvd., 11th Floor, El Segundo, CA 90245, Attention: Legal Department.
8. Miscellaneous. This Agreement contains the final and entire agreement regarding your use of the Services and supersedes all previous and contemporaneous oral or written agreements. The failure by either party to enforce any right or provision of this Agreement will not constitute a waiver of that provision or of any other provision of this Agreement. If any provision of this Agreement is determined to be invalid or unenforceable by a court, such provision will be deemed severable and the remainder of this Agreement will remain in full force and effect. This Agreement may not be assigned by you. Both parties agree that this Agreement, as well as any and all claims arising from this Agreement will be governed by and construed in accordance with federal law and the laws of the State of California, without reference to its conflicts of law rules, and the parties irrevocably submit to the exclusive jurisdiction and venue of the courts of Los Angeles County, California and the Central District Court of California, respectively. The parties are independent contractors and this Agreement does not create an agency, partnership or joint venture. This Agreement may be executed in multiple counterparts, each of which will constitute an original and all of which taken together will constitute one and the same Agreement.
Last Revised: October 1, 2014