Business Associate Agreement
This Business Associate Agreement (the “Agreement”) Customer agreeing to the terms below (“Customer“) and Ambula Inc. and its subsidiaries (“Business Associate”) will be in effect during any such time period that Customer has subscribed to and is using services provided by Ambula Inc. and/or its subsidiaries and upon termination as set forth in Section 5 of this Agreement.
You represent and warrant that (i) you have the full legal authority to bind Customer to this BAA, (ii) you have read and understand this BAA, and (iii) you agree, on behalf of Customer, to the terms of this BAA. If you do not have legal authority to bind Customer, or do not agree to these terms, please do not sign or click to accept the terms of this BAA.
WHEREAS, Customer has engaged Business Associate to perform services or provide software, or both;
WHEREAS, Customer possesses Individually Identifiable Health Information that is protected under HIPAA (as hereinafter defined), the HIPAA Privacy Regulations (as hereinafter defined), the HIPAA Security Regulations (as hereinafter defined), and the HITECH Standards (as hereinafter defined) and is permitted to use or disclose such information only in accordance with such laws and regulations;
WHEREAS, Business Associate may receive such information from Customer, or create and receive such information on behalf of Customer, in order to perform certain of the services or provide certain of the goods, or both; and
WHEREAS, Customer wishes to ensure that Business Associate will appropriately safeguard Individually Identifiable Health Information;
WHEREAS, Customer and Business Associate agree as follows:
The parties agree that the following terms, when used in this Agreement, shall have the following meanings, provided that the terms set forth below shall be deemed to be modified to reflect any changes made to such terms from time to time as defined in the HIPAA Privacy Regulations, the HIPAA Security Regulations, and the HITECH Standards (collectively the HIPAA Rules). Terms used in this agreement and not otherwise defined shall have the meaning of those terms in the HIPAA Rules.
“Business Associate” shall have the same meaning as the definition for Business Associate set forth in 45 CFR 160.103.
“Customer” means a health plan, a health care provider who transmits any health information in electronic form in connection with a transaction covered by the HIPAA Privacy and HIPAA Security Regulations. Customer must have an existing Services Agreement or subscribe to Ambula’s software in place for this BAA to be valid and effective. Together with the Services Agreement, this BAA will govern each party’s respective obligations regarding Protected Health Information (defined below).
“Data Aggregation” means, with respect to PHI created or received by a Business Associate in its capacity as the Business Associate of a Customer, the combining of such PHI by the Business Associate with the PHI received by the Business Associate in its capacity as a Business Associate of another Customer, to permit data analyses that relate to the health care operations of the respective Covered Entities.
“Terms of Service Agreement” or TOS is the agreement between Ambula Inc. and its customers and end users. The TOS dictates the subscription terms and conditions, service level agreements and payment terms.
“Data Retention Period” is a designated time defined within the Ambula Inc. Terms of Service Agreement (TOS). Ambula Inc. will maintain Customer’s data containing ePHI for the defined period of time to allow Customer sufficient time to validate their downloaded data from the Ambula Inc. system. “Individually Identifiable Health Information” means information that is a subset of health information, including demographic information collected from an individual, and;
“Individually Identifiable Health Information” means information that is a subset of health information, including demographic information collected from an individual, and;
- is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
- relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for provision of health care to an individual; and
- that identifies the individual; or
- with respect to which there is a reasonable basis to believe the information can be used to identify the individual.
“Individual” means the same meaning as the term “individual” in 45 CFR § 164.501 and shall include a person who qualifies as a personal representative in accordance with 45 CFR § 164.502(g).
“Protected Health Information” or “PHI” has the same meaning as the term “protected health information” in 45 CFR § 164.501, limited to the information created or received by Business Associate from or on behalf of Customer and not including any unsolicited information received directly from an individual who is not yet a patient of Customer.
“Electronic Protected Health Information” or “ePHI” means the Protected Health Information that is transmitted by or maintained in electronic media as defined in the HIPAA Security Regulations.
“HIPAA” means the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191.
“HIPAA Privacy Regulations” means the regulations promulgated under the HIPAA by the United States Department of Health and Human Services to protect the privacy of Protected Health Information, including but not limited to, 45 CFR § 160 and 45 CFR § 164, Subpart A and E.
“HIPAA Security Regulations” means the regulations promulgated under HIPAA by the United States Department of Health and Human Services to protect the security of Electronic Protected Health Information, including, but not limited to 45 CFR § 160 and 45 CFR § 164, Subpart A and C.
“HITECH Standards” means the privacy, security and security Breach notification provisions applicable to a Business Associate under Subtitle D of the Health Information Technology for Economic and Clinical Health Act (“HITECH”), which is Title XIII of the American Recovery and Reinvestment Act of 2009 (Public Law 111-5), and any regulations promulgated thereunder.
“Breach” shall mean the acquisition, access, use, or disclosure of Protected Health Information in a manner not permitted under 45 CFR § 164, Subpart E (the “HIPAA Privacy Rule”) “Breach” shall not include:
- Any unintentional acquisition, access or use of Protected Health Information by a workforce member or person acting under the authority of Customer or Business Associate, if such acquisition, access or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under the HIPAA Privacy Rule; or
- Any inadvertent disclosure by a person who is authorized to access Protected Health Information at Customer or Business Associate to another person authorized to access Protected Health Information at Customer or Business Associate, respectively, or organized health care arrangement in which Customer participates, and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted under the HIPAA Privacy Rule; or
- A disclosure of Protected Health Information where Customer or Business Associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.
- A Disclosure of Protected Health Information where a Customer or Business Associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the factors set forth in 45 CFR 164.402 (2)(1)-(iv).
“Provider(s)” means any healthcare professional that provides billable services to patients who is an employee, customer, or has an employment, contractor, or agent relationship with a customer, for which the Service organizes information and provides medical billing management.
“Required By Law” shall have the same meaning as the term “required by law” in 45 CFR § 164.501.
“Secretary” means the Secretary of the United States of America Department of Health and Human Services or his designee.
- Obligations and Activities
The obligations and activities of the Business Associate, as required by the Health Insurance Portability and Accountability Act (HIPAA), as amended by the Health Information and Technology for Economic and Clinical Health (“HITECH Act”) and in regulations promulgated thereunder, are as follows:
- Business Associate agrees to not use or disclose Protected Health Information other than as necessary to provide the Services, including the provision of certain data aggregation services; (ii) to carry out its legal responsibilities; (iii) for the proper business management and administration of Company; and vi) Required By Law.
- Business Associate agrees to use appropriate safeguards to prevent use or disclosure of the Protected Health Information other than as provided for by this Agreement.
- Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this Agreement.
- Business Associate agrees to report to Customer any use or disclosure of the Protected Health Information not provided for by this Agreement of which it becomes aware.
- Business Associate agrees to ensure that any subcontractor, that creates receives, maintains or transmits electronic protected health information originating from the Customer on behalf of the Business Associate, agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information.
- Business Associate agrees to provide access, at the request of Customer to Protected Health Information in a Designated Record Set, to Customer or, as directed by Customer, to an Individual in in a time and manner that allows Customer to meet the requirements under 45 CFR § 164.524.
- Business Associate agrees to make any amendment(s) to Protected Health Information in a Designated Record Set that the Customer directs or agrees to pursuant to 45 CFR § 164.526 at the request of Customer, in a time and manner that allows a Customer to meet the requirements of 45 CFR 164.526 and in the time and manner of within thirty (30) days.
- Business Associate agrees to document such disclosures of Protected Health Information and information related to such disclosures as would be required for Customer to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR § 164.528.
- Upon request of Customer, Business Associate agrees to provide to Customer or an Individual, information collected in accordance with Section 2 (ix) of this Agreement, as necessary to permit Customer to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR § 164.528.
- Business Associate agrees to implement administrative, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of the Customer in accordance with the 45 CFR 164.306 (the HIPAA Security standards).
- Business Associate shall report to the Customer any use or disclosure of Protected Health Information not permitted by this Agreement. Business Associate shall report any Breach of Unsecured Protected Health Information to Customer in a manner that is in compliance with its obligations pursuant to 45 CFR §164.410. A report of a Breach of Unsecured Protected Health Information will be made by Business Associate without reasonable delay, no later than five (5) business days from discovery as necessary to mitigate harm to an individual or in any event no later than ten (10) business days from time of discovery.
- Business Associate shall track and monitor all Security Incidents. Business Associate shall report a successful Security Incident in accordance with Section xii above and shall report unsuccessful Security Incidents upon request of Customer.
- When using, disclosing or requesting Protected Health Information, Business Associate agrees to use, disclose or request the minimal amount of information necessary for the stated purpose, unless an exception to the minimum necessary rule, as set forth in 45 CFR §164.502(b)(2).
- Permitted Uses and Disclosures
The permitted uses and disclosures of the Business Associate, as required by the Health Insurance Portability and Accountability Act (HIPAA) and in regulations promulgated thereunder, are as follows:
- Except as otherwise limited in this Agreement, Business Associate may use or disclose Protected Health Information to perform functions, activities, or services for, or on behalf of, Customer as specified in the Terms of Services Agreement and this Agreement, provided that such use or disclosure would not violate the Privacy Rule if done by Customer or the minimum necessary policies and procedures of the Customer.
- Except as otherwise limited in this Agreement, Business Associate may use Protected Health Information for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate provided that disclosures are Required By Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
- Except as otherwise limited in this Agreement, Business Associate may use Protected Health Information to provide Data Aggregation services to Customer as permitted by 45 CFR § 164.504(e)(2)(i)(B).
- Business Associate may use Protected Health Information to report violations of law to appropriate Federal and State authorities, consistent with § 164.502(j)(1).
- As a part of the Services, certain information may be De-Identified. Business Associate shall be permitted to De-Identify PHI in accordance with the de-identification requirements of the Privacy Rule. The parties acknowledge and agree that once PHI is de-identified it is no longer subject to HIPAA.
The obligations of Customer, as required by Health Insurance Portability and Accountability Act (HIPAA) and in regulations promulgated thereunder, are as follow:
- To the extent that Customer utilizes services provided by the Business Associate to communicate with patients, Customer is responsible for obtaining and documenting authorizations or requests from patients to communicate through this service and to inform patients of risks associated with such communications as applicable. It shall be Customer’s responsibility to determine what permissions, authorizations or consents shall be documented and maintained for HIPAA compliance purposes. Business Associate does not obtain consent, authorization or permission from patients and the parties agree that is not Business Associate’s obligation to do so or to document or maintain any consent, authorization or permission obtained from patients.
- Customer shall notify Business Associate of any limitation(s) in its notice of privacy practices of Customer in accordance with 45 CFR § 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of Protected Health Information.
- Customer shall notify Business Associate of any changes in, or revocation of, permission by Individual to use or disclose Protected Health Information, to the extent that such changes may affect Business Associate’s use or disclosure of Protected Health Information.
- Customer shall notify Business Associate of any restriction to the use or disclosure of Protected Health Information that Customer has agreed to in accordance with 45 CFR § 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of Protected Health Information.
- Customer shall not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under the Privacy Rule if done by Customer.
- Customer agrees to comply with the HIPAA Security Rule, including, without limitation, safeguarding all computers, laptops, cell phones, tablets, or other mobile devices in accordance with the HIPAA Security Regulations.
- Customer agrees that only providers of Customer can use the Business Associate’s software and or services. If anyone outside of Customer providers access the Business Associate’s software and or services, it shall be considered a breach.
- Customer agrees that only permitted devices chosen by the Business Associate can use the software and or services.
- Customer agrees to protect PHI from unauthorized alteration, destruction, or disclosure by implementing reasonable and appropriate measures to facilitate the maintenance of reliable system components, workflows, and data. Customer agrees that the admin pin code shall only be given to Customer employees who are authorized for alteration, destruction or disclosure of PHI under HIPAA Integrity Policy.
- Notwithstanding anything to the contrary stated in this Agreement, upon termination of this Agreement, for any reason, and after any Data Retention Period as is set forth in the Ambula Inc. Terms of Service Agreement between Business Associate and Customer during which Business Associate may obtain copies of Protected Health Information, Business Associate shall destroy all Protected Health Information received from Customer, or created or received by Business Associate on behalf of Customer. This provision shall apply to Protected Health Information that is in the possession of subcontractors or agents of Business Associate. Business Associate shall retain no copies of the Protected Health Information.
- In the event that Business Associate determines that returning or destroying the Protected Health Information is infeasible, Business Associate shall provide to Customer notification of the conditions that make return or destruction infeasible. Upon determination that return or destruction of Protected Health Information is infeasible, or to the extent that Business Associate retains Protected Health Information for a Data Retention Period as set forth above in Section 5(i), Business Associate shall extend the protections of this Agreement to such Protected Health Information and, where applicable, limit further uses and disclosures of such Protected Health Information to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such Protected Health Information.
- The respective rights and obligations of Business Associate under this Section 5 of this Agreement shall survive the termination of this Agreement for any reason.
- Dispute Resolution
Any controversy or claim arising out of or relating to this contract, or the breach thereof, shall be settled by mediation first and if parties failed to reach an agreement through arbitration administered by the rules of American Arbitration Association and pursuant to its Healthcare Payor Provider Arbitration Rules, and judgment on the award rendered by the arbitrator(s) may be entered in any court having jurisdiction thereof.
All claims, disputes, and controversies arising out of or in relation to the performance, interpretation, application, or enforcement of this agreement, including but not limited to breach thereof, shall be referred to mediation before, and as a condition precedent to, the initiation of any adjudicative action or proceeding, including arbitration.
If, during the mediation, a party (“offering party”) makes a written offer of compromise to another party which is not accepted by said party (“refusing party”) and the refusing party fails to obtain a more favorable judgment or award, the refusing party shall pay the offering party all costs and expenses, including reasonable attorney’s fees, incurred from the time the offer is refused.
Arbitration shall be administered by the rules of American Arbitration Association under its Commercial Arbitration Rules/Healthcare Payor Provider Rules/Rules of Procedure for Arbitration by the American Health Lawyers Association, and judgment on the award rendered by the arbitrator(s) may be entered in any court having jurisdiction thereof. The Tribunal will consist of three arbitrators. Each party shall appoint an arbitrator, and the two arbitrators so appointed shall appoint a third arbitrator who shall act as president of the tribunal. The place of arbitration will be Los Angeles County, State of California.
The party initiating recourse to arbitration (hereinafter referred to as “the claimant”) shall give to the other party (hereinafter referred to as “the respondent”) a notice of arbitration, which notice shall include: (i) a demand that the matter be referred to arbitration; (ii) the names and addresses of the parties; (iii) a reference to this arbitration clause; and (iv) a description of the nature and circumstances of the dispute giving rise to the claim(s) and a statement of the relief sought including, so far is possible, an indication of any amount(s) claimed.
- The parties agree that Customer will be using HIPAA compliant server and will have unilateral authority to choose and/or switch any such server providers. Ambula Inc. will continue to host and store all of the data that is currently stored on HIPAA compliant Google Cloud Server and Google FireStore Database for Customer when final software program will be released/provided. Any changes with regard to switching server request shall be provided by Customer in writing to Ambula Inc.. Reasonable time should be allowed to perform such change since there will be coordination time involved between releasing and hosting servers.
- The parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for Customer to comply with the requirements of the HIPAA Rules and the Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191.
- The parties agree that Business Associate may unilaterally amend this Agreement from time to time for the reasons set forth in the above paragraph and for other business reasons and that any such amended agreement which Business Associate signs on a later date will supersede this Agreement.
- Any ambiguity in this Agreement shall be resolved to permit Customer to comply with the HIPAA Rules.
- The terms Customer and Business Associate are used in this Agreement only for purposes of convenience and are not meant to imply that either party would meet the definition of Customer or Business Associate set forth in the HIPAA regulations.
- To the extent not preempted by Federal law, this Agreement shall be governed and construed in accordance with the state laws governing California the Terms of Service Agreement, without regard to conflicts of laws provisions that would require application of the law of another state.
- This Agreement does not and is not intended to confer any rights or remedies upon any person other than the parties.
- This Agreement supersedes and replaces any prior business associate agreements between the Customer and Business Associate, including any of Ambula Inc.’s