This Business Associate Agreement (hereinafter referred to as "BAA"), is hereby entered into between the Practitioner ("Covered Entity") and Spry Therapeutics ("Business Associate").
Whereas the Business Associate in relation to its services, performs functions, activities, or services ("Services") for or on behalf of Covered Entity and may maintain, transmit, create, store or receiver data that constitutes Protected Health Information ("PHI") while rendering the Services;
WHEREAS, Covered Entity is or may be subject to the requirements of the Federal Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the Health Information Technology for Economic and Clinical Health Act ("HITECH"), and related regulations;
WHEREAS, under HIPAA, the Covered Entity is required to maintain adequate assurances that the Business Associate will comply with certain obligations with respect to the PHI being processed under the Services.
WHEREAS, the Parties wish to record the aforementioned obligations and other requirements under HIPAA by way of this BAA
NOW, THEREFORE, in consideration of the mutual promises and covenants contained herein, the Parties hereby agree as follows:
- Definitions
The following terms used in this BAA shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Electronic Protected Health Information, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, PHI, Required by Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use.
- Interpretation
Any ambiguity in this BAA shall be resolved in favor of a meaning that permits Covered Entity to comply with HIPAA. The provisions of this BAA shall prevail over the provisions of any other agreement that exists between the Parties that may conflict with, or appear inconsistent with, any provision of this BAA or HIPAA.
- Purpose for Disclosure
In connection with the Services provided by Business Associate to or on behalf of Covered Entity described in this BAA, Covered Entity may disclose PHI to Business Associate for the purposes contemplated by the Terms of Service ("Purpose").
- Permitted Use and Disclosure of PHI
- Business Associate may only Use or disclose PHI for the Purpose and as necessary to perform services under the Terms of Service.
- Business Associate may Use or disclose PHI as Required By Law. Business Associate agrees to make Use and Disclosures and requests for PHI as Required By Law.
- Business Associate may Use PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate.
- Business Associate may Use and disclose de-identified health information if the deidentification is in compliance with 45 C.F.R. §164.502(d), and the deidentified health information meets the standard and implementation specifications for deidentification under HIPAA.
- Business Associate may provide Data Aggregation services relating to the health care operations of the covered entity.
- Business Associate shall attempt to ensure that all Uses and Disclosures of PHI are subject to the principle of "minimum necessary Use and Disclosure," i.e., that only PHI that is the minimum necessary to accomplish the intended purpose of the Use, Disclosure, or request is Used or Disclosed.
- Obligations and Activities of Business Associate
Business Associate agrees to:
- Not Use or disclose PHI other than as permitted or required by the BAA or as Required By Law and as required to provide Services to the Covered Entity under the Terms of Service. Provided, however, Business Associate may Use and disclose PHI as necessary for the proper management and administration of Business Associate, or to carry out its legal responsibilities;
- Use appropriate safeguards as required under HIPAA with respect to Electronic Protected Health Information, to prevent Use or Disclosure of PHI other than as provided for by the BAA;
- Report to Covered Entity any Use or Disclosure of protected health information not provided for by the BAA of which it becomes aware, including breaches of unsecured protected health information as required under applicable laws, and any Security Incident of which it becomes aware;
- If applicable, ensure that any Subcontractors that create, receive, maintain, or transmit PHI on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information;
- Make available protected health information in a Designated Record Set to the Covered Entity or Individual or as necessary to satisfy Covered Entity’s obligations under HIPAA;
- Make any amendment(s) to Protected Health Information in a Designated Record Set as directed or agreed to by the Covered Entity pursuant to HIPAA;
- Maintain and make available the information required to provide an accounting of Disclosures to the Covered Entity or Individual as necessary to satisfy Covered Entity’s obligations under HIPAA;
- To the extent the Business Associate is to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s); and
- Make its internal practices, books, and records available to the Secretary for purposes of determining compliance with the HIPAA Rules.
- Except to the extent prohibited by law, Business Associate agrees to notify Covered Entity immediately upon receipt of any and all requests served upon Business Associate by or on behalf of any and all government authorities relating to PHI received from, or created or received by, Business Associate on behalf of Covered Entity.
- Provisions for Covered Entity to Inform Business Associate of Privacy Practices and Restrictions
- Covered Entity shall provide Business Associate a copy of its Notice of Privacy Practices produced by Covered Entity in accordance with 45 C.F.R. 164.520, as well as any changes to such notice
- Covered Entity shall notify Business Associate of any limitation(s) in the Notice Of Privacy Practices of Covered Entity, to the extent that such limitation may affect Business Associate’s Use or Disclosure of PHI.
- Covered Entity shall notify Business Associate of any changes in, or revocation of, the permission by an Individual to Use or disclose their PHI, to the extent that such changes may affect Business Associate’s Use or Disclosure of PHI.
- Covered Entity shall notify Business Associate of any restriction on the Use or Disclosure of PHI that Covered Entity has agreed to or is required to abide by, to the extent that such restriction may affect Business Associate’s Use or Disclosure of PHI.
- Covered Entity shall notify Business Associate of any amendment to PHI to which Covered Entity has agreed that affects a Designated Record Set maintained by Business Associate;
- If Business Associate maintains a Designated Record Set, provide Business Associate with a copy of its policies and procedures related to an Individual’s right to: access PHI; request an amendment to PHI; request confidential communications of PHI; or request an accounting of Disclosures of PHI.
- Mutual Obligations
Both Parties understand and agree that they are required to comply with the HIPAA Standards for Electronic Transactions, 45 C.F.R. Parts 160 and 162 (HIPAA Electronic Transaction Law) as amended from time to time
- Compliance with Law
To the extent Business Associate is to carry out Covered Entity’s obligation under the Privacy Standards stated under HIPAA, Business Associate shall comply with the requirements of the Privacy Standards that apply to Covered Entity in the performance of such obligation.
- Prohibition of Sale of PHI and Use of PHI for Marketing.
Business Associate will not directly or indirectly receive remuneration in exchange for any PHI, nor will it Use or Disclose PHI for fundraising and/or marketing purposes, except with the Covered Entity’s prior written consent and in accordance with applicable laws.
- Permissible Requests by Covered Entity
Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA if done by covered entity, except as permitted under law.
- Term and Termination
- Term. This BAA shall be effective and coterminous with the Covered Entity’s use of the Services under the Terms of Service.
- Termination for Cause. Either Party may terminate this BAA, if such Party determines the other Party has violated a material term of the BAA and has not cured the breach or ended the violation within a period of 30 days from the date on which such breach was brought to the notice of the breaching Party.
- This BAA shall terminate simultaneously without additional notice upon the termination of any Terms of Service by either Party or, if there is no underlying agreement, upon termination of the Services.
- Obligations of Business Associate Upon Termination.
Upon termination of this BAA for any reason, Business Associate, with respect to PHI received from Covered Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity, shall: - Retain only that PHI which is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities;
- Return to Covered Entity the remaining PHI that the Business Associate still maintains in any form;
- Continue to use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to Electronic Protected Health Information to prevent use or disclosure of the Protected Health Information, other than as provided for in this Section, for as long as Business Associate retains the PHI;
- Not use or disclose the PHI retained by Business Associate other than for the purposes for which such PHI was retained and subject to the same conditions set out at Section IV which applied prior to termination; and
- Return to Covered Entity the PHI retained by Business Associate when it is no longer needed by Business Associate for its proper management and administration or to carry out its legal responsibilities.
- Survival. The obligations of Business Associate under this Section shall survive the termination of this BAA.