Business Associate Agreement

This Business Associate Agreement (“BA Agreement”) is in effect as of your registration date or such later date on which compliance with the Privacy Rule is required by you the registered user (“Client”) and Avidity Health Care Solutions, Inc. (“Business Associate”).

ARTICLE I: DEFINITIONS

  • 1.1 General Rule. Capitalized terms not otherwise defined in the BA Agreement shall have the same meaning as those terms in the Privacy Rule.

  • 1.2 HIPAA means the Health Insurance Portability & Accountability Act of 1996, P.L. 104-91.

  • 1.3 HIPAA Regulations means the regulations promulgated under HIPAA by the U.S. Department of Health and Human Services, including the Privacy Rule.

  • 1.4 Client means all of the Covered Entities, named or un-named, comprising (“Client”) and/or owned health care organizations including, as of the date of execution of the BA Agreement: (“Client”).

  • 1.5 Privacy Rule means the Standards for Privacy of Individually Identifiable Health Information, codified at 45 CFR parts 160 and 164, Subparts A and E, as currently in effect.

  • 1.6 Protected Information means Protected Health Information (“PHI”) provided by Client to Business Associate, or created or received by Business Associate on Client’s behalf.

ARTICLE II: OBLIGATIONS OF BUSINESS ASSOCIATE

  • 2.1 General Requirements. Except as otherwise limited in this BA Agreement, Business Associate may use or disclose Protected Information to perform functions, activities, or services for, or on behalf of, Client as specified in the Underlying Agreement, provided that such Use or Disclosure would not violate the Privacy Rule if done by Client. Business Associate and its agents and subcontractors shall only request, use, and disclose the minimum amount of Protected Information necessary to accomplish the purpose of the permitted Use or Disclosure.

  • 2.2 Uses Permitted By Law. As permitted by the Privacy Rule, Business Associate may use or disclose Protected Information: (a) as is necessary for the proper management and administration of Business Associate’s organization, or (b) to carry out the legal responsibilities of Business Associate; provided, however, that any permitted Disclosure to a third party must be either Required By Law or subject to reasonable assurances obtained by Business Associate from the third party that the Protected Information will be held confidentially and used or disclosed only as Required By Law or for the purposes for which it was disclosed to such third party, and that any breaches of confidentiality of the Protected Information which become known to such third party will be immediately reported to Business Associate. Business Associate shall notify Client in a timely manner prior to making any Disclosure of Protected Information Required By Law, to afford Client the opportunity to respond to the request for such a Disclosure.

  • 2.3 Data Aggregation. Business Associate may provide Data Aggregation services relating to the Health Care Operations of Client.

  • 2.4 Disclosures to Agents and Subcontractors. Business Associate shall ensure that any agent or subcontractor to whom it provides Protected Information agrees in writing to the same terms set forth herein regarding the Use and Disclosure of Protected Information, including, but not limited to, implementation of safeguards, notice of prohibited Use or Disclosure, mitigation of harmful effects, responses to requests for access and amendment, and a term permitting immediate termination of the agent’s or subcontractor’s agreement with Business Associate for improper Use or Disclosure of Protected Information. Business Associate shall terminate its agreement with any agent or subcontractor to whom it provides Protected Information if such agent or subcontractor fails to abide by any material term of such agreement.

  • 2.5 Safeguards. Business Associate shall implement and use appropriate safeguards as necessary to prevent the Use or Disclosure of Protected Information in any manner that is not permitted by this BA Agreement, including but not limited to, safeguards designed to limit incidental Uses or Disclosures made pursuant to an otherwise permitted or required Use or Disclosure.

  • 2.6 Notice of Prohibited Uses or Disclosures. Business Associate shall provide written notice to Client of any Use or Disclosure of Protected Information that is in violation of the BA Agreement, the Privacy Rule, or other applicable federal or state law within five (5) business days of becoming aware of such Use or Disclosure. Business Associate shall also notify Client in writing within five (5) business days of receipt of any complaint that Business Associate receives concerning the handling of Protected Information or compliance with this BA Agreement.

  • 2.7 Mitigation. Business Associate shall mitigate promptly, to the extent practicable, any harmful effect that is known to Business Associate of a Use or Disclosure of Protected Information by Business Associate in violation of this BA Agreement, the Privacy Rule, or other applicable federal or state law.

  • 2.8 Access and Amendment. To enable Client to fulfill its obligations under the Privacy Rule, Business Associate shall make Protected Information in Designated Record Sets that are maintained by Business Associate or its agents or subcontractors available to Client for inspection, copying or amendment within ten (10) days of a request by Client. If an Individual requests inspection, copying or amendment of Protected Information directly from Business Associate or its agents or subcontractors, Business Associate shall notify Client in writing within five (5) business days of receipt of the request, and shall defer to, and comply with, Client’s direction in a timely manner regarding the response to the Individual regarding the request for inspection, copying or amendment.

  • 2.9 Accounting. Business Associate shall implement a process for recording certain Disclosures of Protected Information by Business Associate (“Accounting Information”) in order to enable Client to comply timely with its obligations under the Privacy Rule including, but not limited to, 45 CFR Section 164.528. At a minimum, this Accounting Information shall include for each such Disclosure recordation of (a) the name and date of birth of the Individual whose Protected Information was the subject of the Disclosure; (b) the date of Disclosure; (c) the name and address of the recipient of the Protected Information; (d) a brief description of the Protected Information disclosed; and (e) a brief statement of the purpose for the Disclosure that reasonably informs the Individual of the basis for the Disclosure. Within Three (3) business days after a disclosure, Business Associate shall make available to Client this Accounting Information, in a format and medium specified by Client. If an individual requests an accounting directly from Business Associate or its agents or subcontractors, Business Associate must notify Client in writing within three (3) business days of the request, and shall defer to, and comply in a timely manner with, Client’s direction regarding the response to the Individual regarding the request for an accounting.

  • 2.10 Government Officials. Business Associate shall make its internal practices, books and records relating to the Use and Disclosure of Protected Information available to the Secretary of the U.S. Department of Health and Human Services (“Secretary”) for purposes of determining Client’s compliance with the Privacy Rule. Business Associate shall notify Client regarding any Protected Information that Business Associate provides to the Secretary concurrently with providing such Protected Information to the Secretary, and upon Client’s request, shall provide Client with a duplicate copy of such Protected Information.

  • 2.11 Insurance and Indemnity. Business Associate shall maintain or cause to be maintained sufficient insurance coverage as shall be necessary to insure Business Associate and its agents or subcontractors against any claim or claims for damages arising under this BA Agreement. Such insurance coverage shall apply to all site(s) of Business Associate and to all services provided by Business Associated or its agents or subcontractors under this BA Agreement.

Business Associate shall indemnify, hold harmless and defend Client and its affiliated entities from and against any and all claims, losses, liabilities, costs and other expenses (including reasonable attorneys’ fees and costs, and administrative penalties and fines) incurred as a result of, or arising directly or indirectly out of or in connection with any act or omission of Business Associate, it agents or subcontractors, under this BA Agreement including, but not limited to, negligent or intentional acts or omissions. The indemnification obligation of Business Associate shall survive termination of this Agreement.

ARTICLE III: OBLIGATIONS OF CLIENT

  • 3.1 Notice of Privacy Practices. Client shall notify Business Associate of limitation(s) in its notice of privacy practices in accordance with 45 CFR Section 164.520, to the extent such limitation affects Business Associate’s permitted Uses or Disclosures.

  • 3.2 Individual Permission. Client shall notify Business Associate of changes in, or revocation of, permission by an Individual to use or disclose Protected Information, to the extent such changes affect Business Associate’s permitted Uses or Disclosures.

  • 3.3 Restrictions. Client shall notify Business Associate of restriction(s) in the Use or Disclosure of Protected Information that Client or its contracted Health Plans have agreed to in accordance with 45 CFR Section 164.522, to the extent such restriction affects Business Associate’s permitted Uses or Disclosures.

  • 3.4 Prohibited Requests. Client shall not request Business Associate to use or disclose Protected Information in any manner that would not be permissible under the Privacy Rule if done by Client.

  • 3.5 Managed Networks. The provisions of this BA Agreement regarding the obligations and rights of the Client, and the obligations owed by Business Associate to Client, shall be deemed to extend to every entity managed or owned by Client if each such entity was a party to this BA Agreement.

ARTICLE IV: TERM AND TERMINATION

  • 4.1 Term. This BA Agreement shall commence as of the Effective Date and shall continue in effect so long as the Underlying Agreement is in effect. Upon termination of the Underlying Agreement for any reason, this BA Agreement shall automatically terminate, without action of the parties. Notwithstanding the first sentence of this Section 4.1, if Client determines that this BA Agreement is no longer required, the Client may terminate this BA Agreement on notice to Business Associate, and the Underlying Agreement shall thereafter continue in full force and effect.

  • 4.2 Termination for Cause. If Client determines that Business Associate, or any of its agents or subcontractors, has breached any material provision of this BA Agreement, which may include a pattern of activity or practice that constitutes a material breach, then Client, in its sole discretion, may (a) notify Business Associate of the material breach and request that it be cured; (b) terminate the Underlying Agreement immediately or upon such notice as Client may determine; or (c) report the material breach to the Secretary of the Department of Health and Human Services, if Client determines in its sole discretion that termination of the Underlying Agreement is infeasible. In the event that Client notifies Business Associate of the material breach and requests that it be cured under (a) above, but Client subsequently determines in its sole discretion that Business Associate has failed to cure the material breach to the reasonable satisfaction of Client, then Client may in its sole discretion follow the procedures set forth in (b) or (c) above without further notice.

  • 4.3 Effects of Termination. Upon termination of the Underlying Agreement and/or the BA Agreement for any reason, Business Associate shall, at Client’s direction, return or destroy all Protected Information that Business Associate or its agents or subcontractors still maintain in any form, and shall retain no copies of such Protected Information. Upon Client’s request, Business Associate shall certify in writing that such return or destruction has occurred. If Business Associate determines that return or destruction is not feasible, Business Associate shall explain to Client in writing why conditions make the return or destruction of such Protected Information infeasible. If Client agrees that the return or destruction of Protected Information is infeasible, Business Associate shall retain the Protected Information, subject to all of the protections of this BA Agreement, and shall make no further Use or Disclosure of the Protected Information, except as for those purposes that make the return or destruction of the Protected Information infeasible. In any event, upon termination of the Underlying Agreement and/or the BA Agreement, Business Associate shall retain for no less than six (6) years the Accounting Information compiled by Business Associate pursuant to section 2.9 of this BA Agreement, and shall make such Accounting Information available to Client within five (5) business days of a request.

  • 4.4 Survival. The obligations of Business Associate under this Article IV shall survive the termination of the Underlying Agreement and/or the BA Agreement.

ARTICLE V: MISCELLANEOUS

  • 5.1 Assistance. In the event of an administrative or judicial action commenced against Client where Business Associate may be at fault, in whole or in part, as the result of its performance under this BA Agreement, Business Associate agrees to defend and/or to cooperate with Client in the defense against such action.

  • 5.2 Subcontracts and Assignment. Business Associate shall not subcontract its obligations, assign its rights, or delegate its duties under this BA Agreement without the express written consent of Client.

  • 5.3 Amendment. If any modification to this BA Agreement is required for conformity with federal or state law or if Client reasonably concludes that an amendment to this BA Agreement is required because of a change in federal or state law, or by reason of Client’s status as a business associate of another covered entity, Client shall notify Business Associate of such proposed modification(s) (“Required Modifications”). Such Required Modifications shall be deemed accepted by Business Associate and this BA Agreement so amended, if Business Associate does not, within thirty (30) calendar days following the date of the notice, deliver to Client its written rejection of such Required Modifications. If Business Associate submits a written rejection of the Required Modification, Client may terminate the Underlying Agreement upon thirty (30) days written notice, or such longer period as may be required by law. Other modification to this BA Agreement may be made on mutual agreement of the parties.

  • 5.4 Underlying Agreement. Except as specifically required to implement the purposes of this BA Agreement, and except to the extent inconsistent with this BA Agreement, all terms of the Underlying Agreement shall remain in full force and effect. In the event of a conflict between the terms of the Underlying Agreement and this BA Agreement, this BA Agreement shall control.

  • 5.5 Ambiguity. Any ambiguity in this BA Agreement Relating to the Use and Disclosure of Protected Information shall be resolved in favor of a meaning that furthers the obligations to protect the privacy of the Protected Information in accordance with the Privacy Rule.

  • 5.6 State Law. In addition to HIPAA and the HIPAA Regulations, Business Associate shall comply with all applicable state and federal security and privacy laws.

  • 5.7 Third Party Beneficiaries. Except as expressly provided for in this BA Agreement or the Privacy Rule, there are no third party beneficiaries to this BA Agreement.

  • 5.8 Counterparts. This BA Agreement and any exhibits hereto may be executed in one or more counterparts; each counterpart shall be deemed an original.

  • 5.9 Notices. All notices required or permitted to be given under this BA Agreement shall be in writing and shall be sufficient in all respects if delivered personally, by nationally recognized overnight delivery service, or by registered or certified mail, postage prepaid, addressed as follows:


If to Client:

CLIENT
Address on file


Attention: Registered User
If to Business Associate:

Avidity Health Care Solutions, Inc.
10851 N Black Canyon Hwy, #560
Phoenix, AZ 85029

Attention: Michael Ewens


Notice shall be deemed to have been given upon transmittal thereof as to those personally delivered, upon the first day after mailing as to those sent by nationally recognized overnight delivery service, and upon the third day after mailing as to those sent by United States Mail. The above addresses may be changed by giving notice in the manner provided for above.