Last Modified: October 20, 2017
THIS BUSINESS ASSOCIATE AGREEMENT (the “Agreement”) is entered into between you (“Covered Entity”) and CoverMyMeds LLC, a Delaware limited liability company (“Business Associate”), and is effective as of the date that you click the “I AGREE” button on the Terms of Service screen (the “Effective Date”).
WHEREAS, the U.S. Department of Health and Human Services issued regulations on “Standards for Privacy of Individually Identifiable Health Information” comprising 45 C.F.R. Parts 160 and 164, Subparts A and E (the “Privacy Standards”), “Security Standards for the Protection of Electronic Protected Health Information” comprising 45 C.F.R. Parts 160 and 164, Subpart C (the “Security Standards”), and “Standards for Notification in the Case of Breach of Unsecured Protected Health Information” comprising 45 C.F.R. Parts 160 and 164, Subpart D (the “Breach Notification Standards”), promulgated pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and as modified by the Health Information Technology For Economic and Clinical Health Act, Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009 (“HITECH Act”) (the Privacy Standards, the Security Standards and the Breach Notification Standards are collectively referred to herein as the “HIPAA Standards”).
WHEREAS, in conformity with the HIPAA Standards, Business Associate has and/or will have access to, create and/or receive certain Protected Health Information (“PHI”) to perform its Services as provided under the Terms of Service entered into by and between Covered Entity and Business Associate (the “Terms of Service”).
WHEREAS, Covered Entity is required by the HIPAA Standards to obtain satisfactory assurances that Business Associate will appropriately safeguard all PHI disclosed by or created or received by Business Associate on behalf of Covered Entity.
WHEREAS, the parties hereto desire to enter into this Agreement to memorialize their obligations with respect to PHI pursuant to the requirements of the HIPAA Standards.
NOW, THEREFORE, Covered Entity and Business Associate agree as follows:
Except as otherwise specified herein, capitalized terms used but not defined in this Agreement shall have the same meaning as those terms as defined in the Terms of Service or HIPAA Standards.
(a) Protected Health Information (“PHI”) has the same meaning as the term "Protected Health Information" as defined in 45 C.F.R. § 160.103, and includes electronic PHI (“ePHI”) limited, however, to such information created or received by Business Associate in a business associate capacity on behalf of Covered Entity.
(b) Secretary means the Secretary of the Department of Health and Human Services or his/her designee.
(a) Business Associate agrees to not use or further disclose PHI other than as permitted or required by this Agreement, the Services Agreement, or as permitted or Required by Law.
(b) Business Associate agrees to use appropriate safeguards to prevent use or disclosure of the PHI other than as provided for by this Agreement.
(c) In accordance with the HIPAA Standards, Business Associate shall implement Administrative, Physical and Technical Safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of ePHI that it creates, receives, maintains or transmits on behalf of the Covered Entity. Specifically, Business Associate shall comply with the Security Standards.
(d) Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this Agreement of which Business Associate becomes aware. Additionally, Business Associate shall report to Covered Entity any Security Incident resulting in an unauthorized use or disclosure of ePHI of which Business Associate becomes aware within twenty (20) business days. The parties acknowledge and agree that this Section 2(d) constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence or attempts of Unsuccessful Security Incidents for which no additional notice to Covered Entity shall be required. “Unsuccessful Security Incidents” means, without limitation, pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denial of service attacks, and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of PHI.
(e) Business Associate agrees to notify Covered Entity of any Breach of Unsecured Protected Health Information within twenty (20) business days of the date Business Associate learns of the Breach. Business Associate shall provide such information to Covered Entity as required by the HIPAA Standards.
(f) Business Associate will enter into a written agreement with any agent or subcontractor that creates, receives, maintains or transmits PHI on behalf of Business Associate for services provided to Covered Entity, providing that the agent agrees to restrictions and conditions that are no less restrictive than those that apply through this Agreement to Business Associate with respect to such PHI.
(g) Business Associate will cooperate with Covered Entity’s efforts to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this Agreement.
(h) To the extent Business Associate agrees in the Terms of Service to maintain any PHI in a Designated Record Set, upon the written request of Covered Entity, within twenty (20) business days, Business Associate agrees to provide Covered Entity with access to PHI in a Designated Record Set, as defined in 45 C.F.R. § 164.501, for Covered Entity to comply with the requirements under 45 C.F.R. § 164.524. Business Associate further agrees, within twenty (20) business days of Covered Entity’s written request, to make available PHI for amendment and incorporate any amendments to PHI in a Designated Record Set in accordance with 45 C.F.R. § 164.526. If Business Associate provides copies or summaries of PHI to an Individual it may impose a reasonable, cost-based fee in accordance with 45 C.F.R. § 164.524(c)(4).
(i) Business Associate agrees to make internal practices, books, and records, including policies and procedures and PHI relating to the use and disclosure of PHI created or received by Business Associate on behalf of Covered Entity available, at the request of the Covered Entity, to the Secretary, for purposes of determining Covered Entity's compliance with the HIPAA Standards.
(j) Business Associate agrees to document those disclosures of PHI, and information related to such disclosures, as required to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528. Business Associate further agrees to provide Covered Entity such information within twenty (20) business days of its written request to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI, in accordance with 45 C.F.R. § 164.528.
(k) Business Associate acknowledges that in using, disclosing and requesting PHI, it shall comply with the minimum necessary requirements of the Privacy Standards.
(l) If Business Associate conducts any Standard Transactions electronically on behalf of Covered Entity, Business Associate shall comply with the applicable requirements of 45 C.F.R. Part 162.
(m) Except as otherwise permitted by law, Business Associate shall not directly or indirectly receive remuneration in exchange for a disclosure of PHI without the Covered Entity’s authorization.
(a) Business Associate may use or disclose PHI to perform functions, activities, or Services for, or on behalf of, Covered Entity pursuant to the Service Agreement between the parties, provided that such use or disclosure does not violate the HIPAA Standards.
(b) Business Associate may use PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate. Business Associate may disclose PHI for the proper management and administration of Business Associate or to carry out its legal responsibilities, provided that such disclosures are (i) Required by Law, or (ii) Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and the person agrees to notify Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached. All disclosures will be made in accordance with HIPAA Standards.
(c) Business Associate may use Protected Health Information to provide Data Aggregation services to Covered Entity as permitted by 45 C.F.R. §164.504(e)(2)(i)(B) of HIPAA.
(d) Business Associate may use Protected Health Information to de-identify PHI in accordance with 45 C.F.R. § 164.514 of HIPAA, and Business Associate may subsequently use and disclose such de-identified data unless prohibited by applicable law.
(a) Term. The provisions of this Agreement shall commence on the Effective Date and shall terminate upon termination of the Service Agreement except as provided in Section 4(c).
(b) Termination for Cause. Without limiting the termination rights of the parties pursuant to this Agreement and upon Covered Entity's knowledge of a material breach of this Agreement by Business Associate, Covered Entity shall provide a reasonable opportunity of not less than thirty (30) business days for Business Associate to cure the breach or end the violation and, if Business Associate does not cure the breach or end the violation within the time specified by Covered Entity, terminate this Agreement.
(c) Effect of Termination.
(1) Except as provided in paragraph (2) of this section, upon termination of this Agreement for any reason, Business Associate shall return or destroy all PHI received or created by Business Associate on behalf of Covered Entity. This provision shall apply to PHI that is in the possession of Subcontractors of Business Associate.
(2) If Business Associate determines that returning or destroying the PHI is infeasible, Business Associate shall, at its sole discretion, extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI.
Covered Entity will notify Business Associate fifteen (15) days, if practicable, prior to the effective date of (1) any limitation(s) in its notice of privacy practices in accordance with 45 C.F.R. § 164.520, (2) any changes in, or revocation of, permission by an Individual to use or disclose PHI, or (3) any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 C.F.R. § 164.522. Covered Entity will make such notification to the extent that such limitation, restriction, or change may affect Business Associate’s use or disclosure of PHI.
Any notices or communications to be given pursuant to this Agreement shall be made, in the case of Covered Entity, to the individual noted in Covered Entity contact appearing in your account set up information and if made to Business Associate, to the address given below:
If to business associate
to: Privacy Officer
2 Miranova Pl.
Columbus, Ohio 43215
(a) Regulatory References. A reference in this Agreement to a section in the HIPAA Standards means the section then in effect and as of its applicable compliance date.
(b) Amendment. This Agreement may be amended from time to time to ensure compliance with the requirements of the HIPAA Standards and any other applicable law or regulation.
(c) Waiver; Severability. No failure or delay on the part of either Party in exercising any right under this Agreement will operate as a waiver of, or impair, any such right. No waiver of any such right will have effect unless given in a written document signed by the Party waiving such right. If any part of this Agreement is held to be void or unenforceable, such part will be treated as severable, leaving valid the remainder of this Agreement.
(d) Integration; Interpretation. This Agreement supersedes and replaces any and all previous business associate agreements between the parties. Any ambiguity in this Agreement shall be resolved to permit the parties to comply with the HIPAA Standards. In the event of any inconsistency or conflict between this Agreement and the Terms of Service, the terms and conditions of this Agreement shall govern and control.
(e) No Third-Party Beneficiary. Nothing express or implied in this Agreement or in the Terms of Service is intended to confer, nor shall anything herein confer, upon any person other than the parties and the respective successors or assigns of the parties, any rights, remedies, obligations, or liabilities whatsoever.
(f) Survival. The respective rights and obligations of Business Associate under Section 4(c) of this Agreement shall survive the termination of this Agreement for so long as Business Associate retains any PHI.
(g) Interpretation. Any ambiguity in this Agreement shall be resolved to permit the parties to comply with the HIPAA Standards. In the event of any inconsistency or conflict between this Agreement and the Terms of Service, the terms and conditions of this Agreement shall govern and control.
(h) No Third Party Beneficiary. Nothing express or implied in this Agreement or in the Terms of Service is intended to confer, nor shall anything herein confer, upon any person other than the parties and the respective successors or assigns of the parties, any rights, remedies, obligations, or liabilities whatsoever.
(i) Governing Law. This Agreement shall be governed by and construed in accordance with the same internal laws as that of the Terms of Service.