Business Associate Agreement
Business Associate Agreement
This Business Associate Agreement ("BAA"), is entered into by and between Savas Solutions LLC, ("BA") and Customer ("CE").
The parties agree as follows:
Background
CE and BA are engaged in a business relationship pursuant to which BA provides certain services to, for or on behalf of CE ("Business Relationship").
As part of this Business Relationship, BA will have access to Protected Health Information ("PHI").
The parties are committed to complying with all federal and state laws governing the confidentiality and privacy of health information and intend to protect the privacy and provide for the security of PHI disclosed to BA pursuant to the terms of this BAA, HIPAA, and other applicable laws.
Agreement
1. Terms Used. Terms used but not otherwise defined in this BAA shall have the same meaning given to such terms in HIPAA, the HITECH Act, or any implementing regulations promulgated thereunder, including the Privacy Rule and the Security Rule.
2. Permitted Uses and Disclosures of Protected Health Information. Except as otherwise limited in the Business Relationship or this BAA, BA may:
(a) use and/or disclose PHI to perform the functions, activities, or services for or on behalf of CE as specified in the Business Relationship and to undertake other activities of BA permitted or required of BA by this BAA or as required by law;
(b) use PHI for the proper management and administration of BA or to carry out the legal responsibilities of BA;
(c) disclose PHI for the proper management and administration of BA provided that the disclosures are required by law, or BA obtains reasonable assurances from the person to whom PHI is disclosed that it will remain confidential and be used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies the BA of any instances of which it is aware in which the confidentiality of such PHI has been breached, to the extent it has knowledge of the breach;
(d) de-identify PHI, after which the information will no longer be protected by this BAA and may be used for any lawful business purpose; and
(e) provide data aggregation services, as that term is defined in 45 CFR §164.501, relating to the healthcare operations of the CE.
3. Responsibilities of BA with Respect to Protected Health Information. With regard to the use and/or disclosure of Protected Health Information, BA hereby agrees:
(a) not to use and/or disclose Protected Health Information other than as permitted or required by the Business Relationship or this BAA or as required by law;
(b) to use appropriate safeguards to prevent the use and/or disclosure of PHI other than as provided for by the Business Relationship or this BAA;
(c) to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the Electronic PHI that it creates, receives, maintains, or transmits on behalf of CE;
(d) to report to CE: (1) any use or disclosure of PHI not provided for in this BAA of which it becomes aware, including breaches of unsecured PHI and (2) any material security incident resulting in unauthorized access, acquisition, or disclosure of PHI of which it becomes aware;
(e) to ensure that any subcontractors who create, receive, maintain, or transmit PHI on behalf of it execute a subcontractor BAA in which they agree to: (1) comply with the same restrictions and conditions that apply to BA with respect to the PHI and (2) comply with the applicable requirements of the HIPAA Security Rule to the extent the subcontractor creates, receives, maintains, or transmits electronic PHI on behalf of it;
(f) to provide access (at the request of, and in the time and manner reasonably designated by, CE) to Protected Health Information in a Designated Record Set to CE or, as directed by CE, to an Individual (this provision shall be applicable only if BA has PHI in a Designated Record Set) and to notify CE of any requests for access it receives from an Individual;
(g) to make any amendment(s) (at the request of, and in the time and manner reasonably designated by, CE) to Protected Health Information in a Designated Record Set that CE directs (this provision shall be applicable only if BA has PHI in a Designated Record Set) and to notify CE of any amendment requests it receives from an Individual;
(h) to document such disclosures of PHI and information related to such disclosures as would be required for CE to respond to a request by an Individual for an accounting of disclosures of PHI;
(i) to provide to CE, in a time and manner reasonably designated by CE, information collected in accordance with Section 3(k) of this BAA, to permit CE to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 C.F.R. 164.528 and Section 13405(c) of the HITECH Act, and to provide an accounting of disclosures of Protected Health Information made through an electronic Health Record to the extent required of BA under Section 13405(c) of the HITECH Act;
(j) to make its internal practices, books, and records relating to the use and/or disclosure of PHI available to the Secretary of the Department of Health and Human Services or his/her designee, in a time and manner reasonably designated by CE or the Secretary, for purposes of determining CE's compliance with the Privacy Rule; and
(k) to mitigate, to the extent required by applicable law, any harmful effect that becomes known to BA as a result of a Breach, or use or disclosure of PHI, by BA in violation of the requirements of this Agreement.
4. Responsibilities of CE with Respect to Protected Health Information. To the extent applicable, CE shall:
(a) notify BA of any limitation(s) in its notice of privacy practices to the extent such limitation may affect BA's use or disclosure of PHI;
(b) notify BA of any changes in, or revocation of, permission by an Individual to use or disclose Protected Health Information, if such changes may affect BA's uses or disclosure of PHI;
(c) notify BA of any restriction to the use and/or disclosure of PHI that CE has agreed to, if such, and cover the cost of BA complying with such restriction; and
(d) except for data aggregation or management and administrative activities of BA, not request BA to use or disclose PHI in any manner that would not be permissible under HIPAA if done by CE.
5. Term and Termination.
(a) Term. The Term of this BAA shall be effective as of the effective date of Services and shall terminate when all of the Protected Health Information provided by CE to BA, or created or received by BA on behalf of CE, is destroyed or returned to CE, or, if it is infeasible to return or destroy Protected Health Information, protections are extended to such Protected Health Information, in accordance with Section 6(c) below.
(b) Termination for Cause. CE shall provide BA with thirty (30) days written notice and an opportunity to cure any alleged material breach prior to termination, except in cases of willful misconduct or non-curable violations, in which case CE may immediately terminate the Business Relationship and/or this BAA.
(c) Effect of Termination.
(i) Except as provided in paragraph (ii) of this Section 6(c), upon termination of the Business Relationship and/or this BAA, for any reason, BA shall return or destroy all Protected Health Information. This Section 6(c) shall apply to Protected Health Information that is in the possession of subcontractors or agents of BA.
(ii) In the event that BA determines that returning or destroying the Protected Health Information is infeasible, BA shall provide in writing to CE notification of the conditions that make return or destruction infeasible. Upon mutual written agreement of the parties that return or destruction of Protected Health Information is infeasible, BA may retain such Protected Health Information and shall extend the protections of this BAA to such Protected Health Information and limit further uses and disclosures of such Protected Health Information to those purposes that make the return or destruction infeasible, for so long as BA maintains such Protected Health Information.
(iii) BA shall be permitted to retain copies of PHI solely for the purpose of performing regular data backups, disaster recovery, and ensuring compliance with applicable federal and state regulations. PHI retained under this section shall be destroyed in accordance with BA's record retention processes. BA shall extend the protections of this BAA to such PHI for so long as BA maintains such PHI.
6. Indemnification; Limitations of Liability.
(a) BA shall be responsible only for the acts and omissions of its own employees and agents. BA shall not be liable for the acts, omissions, or breaches of any subcontractor, vendor, or third party, unless expressly agreed in a separate written agreement or as required by applicable law.
(b) A party ("Indemnifying Party") agrees to defend the other party ("Indemnified Party") from any and all third party claims arising from a breach of the Indemnifying Party's obligations under this BAA and indemnify the Indemnified Party from any resulting judgment by a court of competent jurisdiction or governmental agency for any penalties, fines, costs, liabilities, or direct damages incurred by the Indemnified Party. NEITHER PARTY SHALL BE LIABLE TO THE OTHER FOR LOST PROFITS OR REVENUE OR FOR INCIDENTAL, CONSEQUENTIAL, PUNITIVE, COVER, SPECIAL, RELIANCE, OR EXEMPLARY DAMAGES, OR INDIRECT DAMAGES OF ANY TYPE OR KIND HOWEVER CAUSED, WHETHER FROM BREACH OF WARRANTY, BREACH OR REPUDIATION OF CONTRACT, NEGLIGENCE, GROSS NEGLIGENCE, WILLFUL MISCONDUCT OR ANY OTHER LEGAL CAUSE OF ACTION FROM OR IN CONNECTION WITH THIS BAA (AND WHETHER OR NOT THE PARTY HAS BEEN ADVISED ON THE POSSIBILITY OF SUCH DAMAGES) TO THE MAXIMUM EXTENT PERMITTED BY LAW. BUSINESS ASSOCIATE'S MAXIMUM LIABILITY TO COVERED ENTITY, WHETHER BASED ON WARRANTY, CONTRACT, TORT (INCLUDING NEGLIGENCE), PRODUCT LIABILITY OR OTHERWISE, WILL NOT EXCEED THE FEES PAID AND PAYABLE BY COVERED ENTITY UNDER THE BUSINESS RELATIONSHIP DURING THE PRECEDING TWELVE MONTH PERIOD.
7. Miscellaneous.
(a) Amendment. The parties shall negotiate in good faith to amend this BAA from time to time as is necessary for CE and BA to comply with the requirements of the Privacy Rule, the Security Rule, HIPAA, and the HITECH Act. Notwithstanding the forgoing, if CE and BA have not amended this BAA to address a law or final regulation that becomes effective after the Effective Date and that is applicable to this BAA, then upon the effective date of such law or regulation (or any portion thereof) this BAA shall be amended automatically and deemed to incorporate such new or revised provisions as are necessary for this BAA to be consistent with such law or regulation and for CE and BA to be and remain in compliance with all applicable laws and regulations. Except as provided in this Section 8(a), no amendment to this BAA shall be effective unless it is in writing and signed on behalf of CE and BA.
(b) Survival. The respective rights and obligations of BA under Section 6(c) of this BAA shall survive the termination of the Business Relationship and/or this BAA.
(c) Regulatory and Statutory References. Any reference in this BAA to a section of HIPAA, the Privacy Rule, the Security Rule, the HITECH Act, or any other regulations implementing HIPAA or the HITECH Act, shall mean such regulation or statute as in effect at the time of execution of this BAA or, if and to the extent applicable, as subsequently updated, amended or revised.
(d) Interpretation. Any ambiguity in this BAA shall be resolved in favor of a meaning that permits CE and BA to comply with the Privacy Rule, the Security Rule, HIPAA and the HITECH Act. Each provision of the HITECH Act and HIPAA that is required to be included in BA agreements pursuant to HITECH and is not already set forth in this BAA is hereby incorporated into this BAA by reference.
(e) Notices and Communications. All communications shall be in writing and shall be delivered by hand, overnight courier service, or first class mail (postage prepaid) and addressed to the respective party as specified below. Either party may update or change their contact information for notices and communications by providing written notice of the change.
Business Associate:
Compliance Officer
Savas Solutions
10105 E. Via Linda, Ste. 103 PMB 1301
Scottsdale, AZ 85258
compliance@savashealth.com
With a copy to: legal@savashealth.com
Covered Entity:
The address provided on Customer Order Form
(f) Choice of Law. Any dispute, claim, or litigation relating to or arising from this Agreement shall be governed by the laws of the State of Arizona without regard to any conflict of laws provision.
(g) Arbitration. Any dispute arising out of or relating to this contract or the subject matter thereof, or any breach of this contract, including any dispute regarding the scope of this clause, will be resolved through arbitration administered by the American Health Law Association Dispute Resolution Service and conducted pursuant to the AHLA Rules of Procedure for Arbitration. Judgment on the award may be entered and enforced in any court having jurisdiction.
The claim or claims will be heard by a panel of three arbitrators. Each party will appoint a panel member, and the two panel members will appoint a chair. The chair will resolve all pre-hearing disputes regarding discovery, confidentiality, subpoenas, and other matters on his or her own, except for dispositive motions.
If this matter is heard in person, the location will be Maricopa County, Arizona.
The Panel may award any form of relief authorized by law.
The Panel shall approximate the extent to which each party prevailed and award the costs of the arbitration process and reasonable attorney's fees and expenses consistent with this approximation. A party that is determined to have fully prevailed on all its claims is entitled to all costs it incurred for the arbitration process and all reasonable attorney's fees and expenses.
The Panel shall provide a concise statement of the reasons supporting the award.
The parties agree to disclose the existence of this arbitration, information about what has taken place or may take place in this arbitration, the award, or information about the outcome of this arbitration, only as needed to: (a) present claims and defenses in arbitration; (b) pursue or oppose legal remedies in court pertaining to this arbitration, including enforcement of an award; (c) comply in good faith with applicable laws, rules, regulations, court orders, or other legal requirements; or (d) comply with the award. In all other respects, the parties agree to keep this arbitration strictly confidential. The parties reserve the right to enter into, or request from the arbitrator, a more detailed confidentiality agreement or protective order.
Within 30 days after an award is issued, a party may appeal it in accordance with the Rules of Procedure for Arbitration Appeals of the American Health Law Association.
(h) No Third Party Beneficiary. Nothing in this BAA is intended, nor shall be deemed, to confer any benefits on any third party.
(i) Effect of BAA. Except as amended by this BAA, the terms and provisions of the Business Relationship shall remain in full force and effect.
Signature Page
IN WITNESS WHEREOF, the Parties have executed this Business Associate Agreement.
|
Covered Entity: By: ___________________________ Name: _________________________ Title: __________________________ |
Business Associate: Savas Solutions LLC By: ___________________________ Name: Aletheia Lawry Title: General Counsel |

