Business Associate Agreement

Please read the Business Associate Agreement, then sign below. You will receive a copy to the email address you enter below
  • BUSINESS ASSOCIATE AGREEMENT

    This Business Associate Agreement (“Agreement“) was entered into as of the Date defined below (“Commencement Date“), by and between (“Covered Entity“) (as defined below), and Rocky Mountain Tech Team. (“Business Associate“) Located at 2525 Arapahoe Ave. E4-184, Boulder, Colorado, 80303. The Covered Entity is referred to below as “CE.“ The Business Associate is referred to below as “BA.“

    RECITALS

    A.This Agreement is entered into by CE and BA for the purposes of complying with privacy and security regulations issued by the United States Department of Health and Human Services under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA“) and the Health Information Technology for Economic and Clinical Health Act (“HITECH Act“).

    B.CE is a covered entity as such term is defined under HIPAA, and as such is required to comply with the requirements thereof regarding the confidentiality and privacy of Protected Health Information (“PHI“) (defined below).

    C.BA provides services to or on behalf of CE pursuant to the terms of their Engagement Agreement, between CE and BA (the “Service Agreement“), that may require CE to disclose individually identifiable health information to BA, some of which may constitute Protected Health Information (“PHI“)(defined below).

    NOW THEREFORE, in consideration of the promises and mutual agreement contained herein, and other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the parties, intending to be legally bound, agree as set forth below.

    AGREEMENT

    1.DEFINITIONS

    For the purposes of this Agreement, the following terms shall have the meanings ascribed to them below:

    1.1“Breach“ shall have the meaning given to such term under the Privacy Rule, including but not limited to, 45 C.F.R. § 164.402.

    1.2“Business Associate“ shall have the meaning given to such term under the Privacy Rule, including but not limited to, 45 C.F.R. § 160.103.

    1.3“Covered Entity“ shall have the meaning given to such term under the Privacy Rule, including but not limited to, 45 C.F.R. § 160.103.

    1.4“Designated Record Set“ shall have the meaning given to such term under the Privacy Rule, including but not limited to, 45 C.F.R. § 164.501.

    1.5“Disclosure“ shall have the meaning given to such term under the Privacy Rule, including but not limited to, 45 C.F.R. § 160.103.

    1.6“Electronic Protected Health Information“ or “ePHI“ shall have the meaning given to such term under the Privacy Rule, including but not limited to, 45 C.F.R. § 160.103.

    1.7“Individual“ shall have the meaning given to such term under the Privacy Rule, including but not limited to, 45 C.F.R. § 160.103.

    1.8“Minimum Necessary“ shall have the meaning given to such term under the Privacy Rule, including but not limited to, 45 C.F.R. §§ 164.502(b) and 164.514(d).

    1.9“Privacy Rule“ shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. Part 160 and Part 164, Subparts A and E.

    1.10“Protected Health Information“ or “PHI“ shall have the meaning given to such term in 45 C.F.R. §§ 160.103 and 164.501, and is the information created or received by BA from or on behalf of CE.

    1.11“Required By Law“ shall have the meaning given to such term in 45 C.F.R. §

    164.103.

    1.12“Secretary“ shall have the meaning given to such term in 45 C.F.R. § 160.103.

    1.13“Security Incident“ shall have the meaning given to such term under the Security Rule, including but not limited to, 45 C.F.R. § 164.304.

    1.14“Security Rule“ shall mean the Security Standards for the Protection of Electronic Protected Health Information at 45 C.F.R. Part 160 and Part 164, Subparts A and C.

    1.15“Subcontractor“ shall have the meaning given to such term under the Privacy Rule, including but not limited to, 45 C.F.R. § 160.103.

    1.16“Unsecured Protected Health Information or PHI“ shall have the meaning given to such term under the Privacy Rule, including but not limited to, 45 C.F.R. § 164.402.

    1.17“Use“ shall have the meaning given to such term under the Privacy Rule, including but not limited to, 45 C.F.R. § 160.103.

    2.OBLIGATIONS OF BUSINESS ASSOCIATE

    2.1Permitted Uses and Disclosures of PHI. BA, its directors, officers, Subcontractors, employees, affiliates, agents, and representatives shall use or disclose PHI only (a) in connection with fulfilling its duties and obligations under this Agreement and the

    Service Agreement; (b) for the proper management and administration of BA; or (c) to carry out the legal responsibilities of BA.

    2.2Prohibited Uses and Disclosures of PHI. BA shall not use or disclose PHI other than as permitted or Required By Law. BA shall not use or disclose PHI in any manner that violates state or federal laws, or would violate such laws if used or disclosed in such manner by CE.

    2.3Third Party Disclosures. BA shall obtain and maintain an agreement with each Subcontractor that has or will have access to PHI which is received from, created, or received by BA on behalf of CE, pursuant to which agreement such Subcontractor agrees to be bound by the same restrictions, terms, and conditions that apply to BA pursuant to this Agreement with respect to such PHI. BA shall also (a) obtain reasonable assurances from the Subcontractor that the PHI will be held in confidence and used or further disclosed only as Required by Law or for the purpose for which it was disclosed, and (b) obligate such person to notify BA of any instance in which PHI is used or disclosed that is not provided for in the Service Agreement, including incidents that constitute breaches of unsecured PHI or any security incident of which it becomes aware in which the confidentiality of the PHI has been breached.

    2.4Minimum Necessary. BA and its agents or Subcontractors shall request, use and disclose only the minimum amount of PHI necessary to accomplish the purpose of the request, use or disclosure. To the extent BA uses or discloses PHI received from, created, or received by BA on behalf of CE, BA will make reasonable efforts to limit PHI to the Minimum Necessary to accomplish the intended purpose of the use, disclosure or request.

    2.5Access of Individuals to PHI.

    (i)BA shall make PHI maintained by BA or its agents or Subcontractors available to CE for inspection and copying within five (5) business days of a written request by CE to enable CE to fulfill its obligations under the Privacy Rule. If BA maintains ePHI, BA shall provide such information in electronic format to enable CE to fulfill its obligations under 45 C.F.R. § 164.524.

    (ii)In the event an Individual or entity requests access to PHI from BA, BA shall forward such request to CE within two (2) business days. CE is responsible for determining what PHI shall be unavailable to the Individual pursuant to 45 C.F.R. § 164.524.

    (iii)Any denial of access to PHI determined by CE pursuant to 45 C.F.R. § 164.524, and conveyed to BA by CE, shall be the responsibility of CE, including resolutionor reporting of all appeals, and/or complaints arising from denials.

    (iv)BA shall cooperate with CE in a manner that enables CE to meet its obligations under 45 C.F.R § 164.524.

    2.6Amendment of PHI.

    (i)In order to allow CE to respond to a request by an Individual for an amendment pursuant to 45 C.F.R. § 164.526, BA shall, within five (5) business days of a written request by CE for PHI about an Individual contained in a Designated Record Set, make such PHI available to CE for so long as such information is maintained in the Designated Record Set.

    (ii)In the event that any Individual requests that the BA amend his/her PHI, BA shall forward such request to CE within two (2) business days. The CE is responsible for determining what PHI is unavailable to the Individual pursuant to 45 C.F.R. § 164.526.

    (iii)Any denial of an amendment to PHI determined by CE pursuant to 45 C.F.R. § 164.526, and conveyed to BA by CE, shall be the responsibility of CE, including resolution or reporting of all appeals and/or complaints arising from denials.

    (iv)BA shall cooperate with CE in a manner that enables CE to meet its obligations under 45 C.F.R. § 164.526.

    (v)Within ten (10) business days of receipt of a request from CE to amend an Individual’s PHI in a Designated Record Set, BA shall incorporate any amendments, statements of disagreement, and/or rebuttals approved by CE into its Designated Record Set, as required by 45 C.F.R. § 164.526.

    2.7Accounting of Disclosures.

    (i)In order to allow CE to respond to a request by an Individual for an accounting of disclosures of a Designated Record Set pursuant to 45 C.F.R. § 164.528, BA shall, within five (5) business days of a CE’s written request for an accounting of disclosures of PHI about an Individual, make such information available to CE. At a minimum, BA shall provide CE with the following information: (a) the date of the disclosure; (b) the name of the entity or person who received the PHI, and, if known, the address of such entity or person; (c) a brief description of the PHI disclosed; and (d) a brief statement of the purpose of such disclosure.

    (ii)In the event an Individual requests an accounting of disclosures of PHI directly from BA, BA shall forward such request to CE within two (2) business days.

    (iii)BA shall implement an appropriate recordkeeping process to enable it to comply with the requirements of 45 C.F.R. § 164.528.

    (iv)BA shall cooperate with CE in a manner that enables CE to meet its obligations under 45 C.F.R. § 164.528.

    2.8Subpoena or Legal Request for PHI. BA shall notify CE within two (2) business days of receipt of any request, subpoena, or other legal process to obtain PHI receivedfrom, or created or received by BA on behalf of CE. The provisions of this Section shall survive the termination of this Agreement.

    2.9Reporting Breaches, Improper Disclosures, and Security Incidents.

    (i)Breaches. In the event of a Breach of any Unsecured PHI that BA accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds or uses on behalf of CE, BA shall report such Breach to CE immediately, but in no event more than five (5) days after discovering the breach.

    (ii)Improper Disclosures. BA shall report any unauthorized or improper use or disclosure of PHI regarding the terms and conditions of this Agreement or applicable federal and state laws to CE as soon as practicable, but in no event later than five (5) businessdays of the date on which BA becomes aware of such unauthorized or improper use or disclosure. BA shall, in consultation with CE, mitigate to the extent practicable any harmful effect of such improper disclosures.

    (iii)Security Incidents. BA shall report to CE any Security Incident of which it becomes aware within five (5) business days.

    2.10Safeguards.

    (i)BA shall employ appropriate administrative, technical, and physical safeguards, consistent with the size and complexity of BA’s operations, to protect the confidentiality and security of PHI that it creates, receives, maintains, or transmits on behalf of CE and to prevent the use or disclosure of PHI in any manner inconsistent with the terms of this Agreement.

    (ii)BA shall implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the ePHI that it creates, receives, maintains, or transmits on behalf of CE. Such safeguards shall include implementing written policies and procedures in compliance with HIPAA and the HITECH Act, conducting a security risk assessment, and training BA employees who will have access to PHI on BA’s policies and procedures as required by HIPAA and the HITECH Act.

    2.11Availability of Books and Records to CE. Within ten (10) calendar days of a written request by CE, BA and its agents or Subcontractors shall permit CE to audit BA’s internal practices, books, and records at reasonable times as they pertain to the use and disclosure of PHI received from, or created or received by BA on behalf of CE in order to ensure that CE and BA are in compliance with the requirements of this Agreement, and to the extent that CE determines such examination is necessary to comply with CE’s obligations pursuant to HIPAA. The availability of books and records from BA to CE is subject to the following conditions:

    (i)BA and CE shall mutually agree in advance upon the scope, timing, and location of such an inspection.

    (ii)CE shall protect the confidentiality of all confidential and proprietary information of BA to which CE has access during the course of inspection.

    (iii)CE shall execute a nondisclosure agreement, under terms mutually agreed upon by the parties, if requested by BA.

    2.12Governmental Access to Records. BA shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary for purposes of determining BA’s compliance with the Privacy Rule and the Security Rule. BA shall notify CE within ten (10) calendar days of learning that BA has become the subject of an audit, compliance review, or complaint investigation by the Secretary. BA shall provide to CE a copy of such request for information and a copy of any PHI that BA provides to the Secretary concurrently with providing such PHI to the Secretary.

    3.OBLIGATIONS OF COVERED ENTITY

    3.1Obligations. CE warrants that CE, its directors, officers, subcontractors, employees, affiliated agents, and representatives: (a) shall comply with the Privacy Rule in its use or disclosure of PHI; (b) shall not use or disclose PHI in any manner that violates applicable federal and state laws; (c) shall not request BA to use or disclose PHI in any manner that violates applicable federal and state laws if such use or disclosure were done by CE; and

    (d) may request BA to disclose PHI directly to another party only for the purposes allowed by the Privacy Rule.

    3.2Breach. CE shall provide notice to BA of any pattern of activity or practice of BA that CE believes constitutes a material breach or violation of the BA’s obligation under the Service Agreement or this Agreement within five (5) calendar days of discovery and shall meet with BA to discuss and attempt to resolve the problem as one of the reasonable steps to cure the breach or end the violation.

    3.3Notice of Privacy Practices. CE will notify BA of any limitation(s) in its notice of privacy practices in accordance with 45 C.F.R. § 164.520, to the extent that such limitation may affect BA’s use or disclosure of PHI. CE shall provide such notice no later than fifteen (15) days prior to the effective date of the limitation.

    3.4Notification of Changes Regarding Individual Permission. CE shall notify BA of any changes in, or revocation of, permission by an Individual to use or disclose PHI, to the extent that such changes may affect BA’s use or disclosure of PHI. CE shall provide such notice no later than fifteen (15) days prior to the effective date of the change.

    3.5Notification of Restrictions to Use or Disclosure of PHI. CE shall notify BA of any restriction to the use or disclosure of PHI that CE has agreed to in accordance with 45 C.F.R. § 164.522, to the extent that such restriction may affect BA’s use or disclosure of PHI.

    CE shall provide such notice no later than fifteen (15) days prior to the effective date of the restriction.

    3.6Permissible Requests by CE. CE shall not request BA to use or disclose PHI in any manner that would not be permissible under HIPAA if done by CE, except as permitted pursuant to Section 2

    3.7Notice of Privacy Practices. Upon request from BA, CE will provide BA with a copy of its Notice of Privacy Practices.

    4.TERM AND TERMINATION

    4.1Term. This Agreement shall commence on the Commencement Date and shall continue, unless earlier terminated pursuant to the terms and conditions herein, until the expiration of the Service Agreement (the “Term“).

    4.2Material Breach. A breach by BA of any provision of this Agreement, as determined by CE, shall constitute a material breach of this Agreement and shall provide grounds for immediate termination of the Service Agreement, any provision of the Service Agreement to the contrary notwithstanding.

    (i)Where CE has knowledge of a material breach by BA, and a cure is possible, CE shall provide BA with an opportunity to cure. Where said breach is not cured within ten (10) business days of BA’s receipt of notice from CE of said breach, CE shall terminate the Service Agreement.

    (ii)CE shall have the right to cure any breach of BA’s obligations under this Agreement. CE shall give BA notice of its election to cure any such breach, and BA shall cooperate fully in the efforts by CE to cure BA’s breach. All requests from CE to BA for payment for such services shall be paid within thirty (30) business days.

    (iii)In the event that BA or CE has knowledge of a material breach of this Agreement by the other, and a cure is not possible, the non-breaching party shall terminate the portion of the Service Agreement that is affected by the breach. When neither cure nor termination is feasible, the non-breaching party shall report the violation to the Secretary.

    4.3Judicial or Administrative Proceeding. CE may terminate the Service Agreement, effectively immediately, if: (a) BA is named as a defendant in a criminal proceeding for a violation of HIPAA, the HITECH Act, or other privacy or security laws; or (b) a finding or stipulation that the BA has violated any standard or requirement of HIPAA, the HITECH Act, or other privacy or security laws is made in any administrative or civil proceeding in which BA has been joined.

    4.4Effect of Termination. Upon termination of the Service Agreement for any reason, BA shall return or destroy all PHI that BA or its agents or Subcontractors still maintain in any form, and shall retain no copies of such PHI. BA shall certify in writing to CE that the PHI has been destroyed. If return or destruction is not feasible, as determined by CE, BA shall continue to extend the protections of Section 2 of this Agreement to such information, and limit further use of such PHI to those purposes that make the return or destruction of such PHI impractical. All destruction shall be in accordance with HIPAA, the HITECH Act, and applicable state law.

    5.MISCELLANEOUS

    5.1Amendment. The parties agree to take such action to amend this Agreement from time to time as is necessary to comply with the requirements of HIPAA.

    5.2Notices. Any notice, demand or communication required, permitted or desired to be given hereunder shall be in writing and shall be delivered personally, by certified mail, return receipt requested, postage prepaid, or by transmission by a telecommunications device, and shall be effective on the earliest of: (a) on the day when personally served, including delivery by overnight mail and courier service; (b) on the third day after its deposit in the United States mail; or (c) on the business day of confirmed transmission by telecommunications device. The addresses of the parties hereto (until notice of a change thereof is served as provided in this Section 6.2) are included in the CE and BA Engagement Letter:

    5.3Limitation on Liability. Any limitations of liability as set forth in this Agreement shall not apply to damages related to a breach of BA’s privacy or security obligations under the Service Agreement or this Agreement.

    5.4Disclaimer. CE makes no warranty or representation that compliance by BA with this Agreement, HIPAA, or the HITECH Act will be adequate or satisfactory for BA’s own purposes. BA is solely responsible for all decisions made by BA regarding the safeguarding of PHI.

    5.5Certification. To the extent that CE determines that such an examination of BA’s security practices is necessary to comply with CE’s legal obligations pursuant to HIPAA, CE or its authorized agents or contractors, may examine BA’s facilities, systems, procedures and records as may be necessary for such agents or contractors to certify to CE the extent to which BA’s security safeguards comply with HIPAA, the HITECH Act, or this Agreement.

    5.6Assistance in Litigation or Administrative Proceedings. BA shall make itself, and any Subcontractors, employees or agents assisting BA in the performance of its obligations under the Service Agreement or Agreement, available to CE, at no cost to CE, to testify as witnesses, or otherwise, in the event of litigation or administrative proceedings being commenced against CE, its directors, officers or employees based upon a claimed violation of HIPAA, the HITECH Act, or other laws relating to security and privacy, except where BA or its Subcontractor, employee or agent is a named adverse party.

    5.7No Third-Party Beneficiaries. Except as expressly provided for in the Privacy Rule, there are no third party beneficiaries to this Agreement. BA’s obligations under this Agreement are owed to CE only.

    5.8Effect on Service Agreement. Except as specifically required to implement the purposes of this Agreement, or to the extent inconsistent with this Agreement, all otherterms of the Service Agreement shall remain in force and effect.

    5.9Interpretation. The provisions of this Agreement shall prevail over any provisions in the Service Agreement that may conflict with or are inconsistent with any provision in this Agreement. This Agreement and the Service Agreement shall be interpreted as broadly as necessary to implement and comply with HIPAA and the HITECH Act. The parties agree that any ambiguity in this Agreement shall be resolved in favor of a meaning that complies and is consistent with HIPAA and the HITECH Act.

    5.10Conflicting Terms. In the event any terms of this Agreement conflict with any terms of the Service Agreement, the terms of this Agreement shall govern and control.

    5.11Governing Law. This Agreement shall be governed by and construed in accordance with the laws of the State of Colorado.

  • Signatures

    IN WITNESS WHEREOF, each of the undersigned has duly executed this Agreement on behalf of the party and on the date set forth below.
  • BUSINESS ASSOCIATE

    Company: Rocky Mountain Tech Team
    Print Name: Brandon Hamilton
    Title: President
    Date: 09/21/2019

    COVERED ENTITY
  • Date Format: MM slash DD slash YYYY