This HIPAA Business Associate Agreement (the “Agreement”) is made and entered into by [COMPANY] and Golden Proportions Marketing Inc. (“GPM”), a Pennsylvania corporation, with an address at 330 Mahoning Street, Milton, Pennsylvania 17847. employee and GPM may in this Agreement be referred to singularly as a “Party” and collectively as the “Parties.” This Agreement is effective as of the Effective Date above.
BY SIGNING BELOW, YOU AGREE TO FOLLOW AND BE BOUND BY THE TERMS AND CONDITIONS OF THIS AGREEMENT. IF YOU ARE ENTERING INTO THIS AGREEMENT ON BEHALF OF A COMPANY OR OTHER LEGAL ENTITY, YOU REPRESENT THAT YOU HAVE THE AUTHORITY TO BIND SUCH ENTITY TO THE TERMS AND CONDITIONS OF THIS AGREEMENT. IF YOU DO NOT HAVE SUCH AUTHORITY OR IF YOU DO NOT AGREE TO ALL THE TERMS AND CONDITIONS IN THIS AGREEMENT, YOU MUST NOT SIGN THIS DOCUMENT AND MAY NOT USE THE SERVICE.
- GPM and employee are involved in a business relationship whereby GPM provides services to clients pursuant to a Software as a Service Agreement (“SAAS”);
- Employee has informed GPM that it is a Covered Entity or Business Associate as defined in the Health Insurance Portability and Accountability Act 1996 and the implementing regulations thereunder (“HIPAA”) and therefore must enter into a business associate agreement with organizations that may have access to Protected Health Information;
- In the context of providing services to client, GPM may receive, store and transmit Protected Health Information on behalf of client, and therefore qualifies as a Business Associate under HIPAA;
- The Parties have therefore decided to enter into this Agreement to document their respective rights and obligations under HIPAA and any modifications thereto, including the privacy and security provisions of Subtitle D of the Health Information Technology for Economic and Clinical Health Act (“HITECH”), enacted as part of the American Recovery and Reinvestment Act 2009, and regulations promulgated thereunder in respect of Protecteds, from or on behalf of employee in its capacity, as applicable, as a Covered Entity or Business Associate only.
- The Parties intend that this Agreement provides the necessary satisfactory assurances pursuant to HIPAA and HITECH to the extent applicable to GPM as a Business Associate in its provision of the services.
NOW THEREFORE, for and in consideration of these promises and the terms set forth below, and for good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the Parties agree as follows:
In this Agreement, the following words have the following meanings. Unless otherwise defined in this Agreement, capitalized terms have the meanings given to them in the SAAS.
The following terms shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Individual, Minimum Necessary, Notice of Privacy Practices, Protected Health Information, Required by Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use.
- Business Associate. “Business Associate” shall generally have the same meaning as the term “business associate” at 45 CFR 160.103.
- Covered Entity. “Covered Entity” shall generally have the same meaning as the term “covered entity” at 45 CFR 160.103.
- HIPAA Rules. “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.
- Services. “Services” means the services provided by GPM to employee pursuant to the SAAS.
- Obligations and Activities of GPM as Business Associate
GPM agrees to:
- Not Use or disclose Protected Health Information other than as permitted or required by the Services Agreement, this Agreement or as Required by Law;
- Use reasonable and appropriate safeguards designed to prevent Use or Disclosure of Protected Health Information other than as provided for in this Agreement, and comply with the applicable requirements of Subpart C of 45 CFR Part 164 with respect to electronic Protected Health Information;
- Report to employee, to the extent permitted by applicable law, any Use or Disclosure of Protected Health Information not provided for by this Agreement of which it becomes aware, including Breaches of Unsecured Protected Health Information as required at 45 CFR § 164.410, and any Security Incident of which it becomes aware, provided that notice is hereby deemed given for Unsuccessful Security Incidents and no further notice of such Unsuccessful Security Incidents shall be given. Any notification of a Breach of Unsecured Protected Health Information must be made to employee’s address on page 1 without unreasonable delay and in no case later than sixty (60) days of the first day of GPM’s discovery of the Breach. GPM shall be deemed to have knowledge of a Breach if the Breach is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the Breach, who is an employee, officer, or other agent of GPM (determined in accordance with the Federal common law of agency). Any notification of a Breach of Unsecured Protected Health Information shall include, if known, at the time of the notification or promptly thereafter as information becomes available: (i) the identity of the Individuals whose Unsecured Protected Health Information has been, or is reasonably believed by GPM to have been accessed, acquired, used, or disclosed as a result of the Breach; (ii) a brief description of the Breach (i.e. what happened, the date of the Breach and the date of GPM’s discovery of the Breach); (iii) a description of the type of Unsecured Protected Health Information involved in the Breach (such as, if known, whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved); (iv) any steps Individuals should take to protect themselves from potential harm resulting from the Breach; (v) a brief description of what GPM is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any further Breaches; and (vi) contact procedures for Individuals to ask questions or learn additional information. For the purposes of this section, “Unsuccessful Security Incident” means, without limitation, pings and other broadcast attacks on GPM’s firewall, port scans, unsuccessful log-in attempts, denial of service attacks, and any combination of the foregoing as long as no incidents result in unauthorized access, acquisition, Use, or Disclosure of Protected Health Information;
- In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any Subcontractors that create, receive, maintain, or transmit Protected Health Information on behalf of GPM agree to the same restrictions, conditions, and requirements that apply to GPM with respect to such information, and provide satisfactory assurances that the Protected Health Information will be appropriately safeguarded;
- To the extent employee does not already have access to such Protected Health Information, make access available to any Protected Health Information maintained by GPM in a Designated Record Set to the employee no later than 30 days after receipt of such request from employee as necessary to satisfy the obligations under 45 CFR 164.524;
- To the extent employee does not already have access to such Protected Health Information, make any Protected Health Information maintained by GPM in a Designated Record Set available for amendment no later than 30 days after receipt of such request as directed or agreed to by the employee pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy the obligations under 45 CFR 164.526, and shall if applicable and as directed by employee incorporate any reasonably requested amendment into the Designated Record Set;
- Maintain and make available no later than 30 days after receipt of such a request the information required to provide an accounting of Disclosures to the employee as necessary to satisfy the obligations under 45 CFR 164.528. If any Individual to whom the Protected Health Information relates directly requests that GPM provide access to or amend Protected Health Information as provided for in (e) and (f), or provide an accounting of Disclosures, GPM shall notify employee within thirty (30) days of such request. employee agrees that it, and not GPM, is responsible for responding to any such requests;
- To the extent GPM is to carry out one or more Covered Entity obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the employee in the performance of such obligation(s); and
- Make its internal practices, books, and records relating to the Use and/or Disclosure of Protected Health Information received from employee available to the Secretary for purposes of determining compliance with the HIPAA Rules, subject to attorney-employee and other applicable legal privileges.
3. Permitted Uses and Disclosures by GPM as Business Associate
GPM agrees that:
- GPM may only Use or disclose Protected Health Information as necessary to perform the services set forth in the SAAS (“Services”);
- GPM may Use or disclose Protected Health Information as Required by Law;
- GPM will make Uses and Disclosures and requests for Protected Health Information consistent with Covered Entity’s minimum necessary policies and procedures that are provided to GPM;
- GPM may not Use or disclose Protected Health Information in a manner that would violate Subpart E of 45 CFR Part 164 if done by employee;
- GPM will make reasonable efforts not to request, Use or disclose more than the minimum amount of Protected Health Information necessary to accomplish the purposes of such request, Use or Disclosure. GPM may Use or disclose the Minimum Necessary Protected Health Information to parties such as agents or Subcontractors with whom it contracts to assist in providing the Services for the proper management and administration of GPM or to carry out the legal responsibilities of GPM, provided the Disclosures are Required By Law, or GPM obtains reasonable written assurances from the person to whom the information is disclosed that the information will remain confidential and used or further disclosed only as Required By Law or for the purposes for which it was disclosed to the person, and the person notifies GPM of any instances of which it is aware in which the confidentiality of the information has been breached;
- GPM shall not directly or indirectly sell or otherwise receive remuneration in exchange for any Protected Health Information unless GPM has obtained in accordance with 45 C.F.R. § 164.508 a valid authorization that includes a statement that Protected Health Information can be further exchanged for remuneration. Such prohibition shall not affect any payments for the Services;
- Unless specifically agreed to otherwise in writing between the Parties, GPM shall not Use Protected Health Information for Data Aggregation services. Unless specifically agreed to otherwise in writing between the Parties, GPM shall not de-identify Protected Health Information or Use de-identified Protected Health Information for any purpose other than troubleshooting and product improvement.
4. Provision for employee to Inform GPM of Privacy Practices and Restrictions
employee shall notify GPM of any limitation(s) in the Notice of Privacy Practices of Covered Entity under 45 CFR 164.520 and of any other restrictions to the Use or Disclosure of Protected Health Information agreed to by employee in accordance with the HIPAA Rules, to the extent that such limitation may affect GPM’s Use or Disclosure of Protected Health Information.
5. Obligations of employee
- employee shall not request GPM to Use or disclose Protected Health Information in any manner that would not be permissible under Subpart E of 45 CFR Part 164 if done by a Covered Entity. employee shall not disclose Protected Health Information to GPM unless such is necessary for GPM to perform under the SAAS.
- employee is responsible for using appropriate safeguards to protect Protected Health Information in compliance with HIPAA during its use of the Services. Without limitation thereto, employee shall not provide Protected Health Information to GPM through a technical support request or by email.
- employee assumes all liability for any Breach of Unsecured Protected Health Information as required at 45 CFR § 164.410, including any Breach of Unsecured Protected Health Information caused by any individual employee employs or third parties with which employee works or consults that have access to patient calls.
- It is employee’s responsibility not to add or process Protected Health Information to the Services until such time as this Agreement is effective.
6. Term and Termination
- Term. The Term of this Agreement shall be effective as of the Effective Date, and shall terminate: (i) on termination or expiry of the SAAS or (ii) on the date employee terminates for cause as authorized in paragraph (b) of this Section, whichever is sooner.
- Termination for Cause. GPM authorizes immediate termination of this Agreement by employee, if employee determines GPM has violated a material term of the Agreement. employee may at its discretion provide GPM with a period to cure a material violation of the Agreement.
- Obligations of GPM Upon Termination. Upon termination of this Agreement for any reason, GPM shall return or destroy all Protected Health Information received from employee, or created, maintained, or received by GPM on behalf of employee, that GPM still maintains in any form. GPM shall retain no copies of the Protected Health Information. If it is infeasible to return or destroy the Protected Health Information, then GPM shall continue to extend the protections of this Agreement to such Protected Health Information and limit further use of such Protected Health Information to those purposes that make the return or destruction of infeasible. If Protected Health Information is destroyed, GPM agrees to provide employee with a certification evidencing such destruction, upon written request. GPM has no obligation to retain copies or backups of Protected Health Information following termination of this Agreement.
- Survival. The obligations of GPM under this Section shall survive the termination of this Agreement.
To the fullest extent of the law, employee shall indemnify, defend and hold harmless the GPM, its officers, employees, agents, representatives, consultants, and contractors from and against any and all losses, liabilities, damages, claims, penalties and expenses, including attorneys’ fees, arising directly out of a third-party claim that the employee has violated this Agreement or failed to comply with applicable laws, rules, and regulations (“Claims”). employee shall have no indemnification obligations under this clause 7 in respect of any Claims caused by the gross negligence or willful misconduct of GPM.
- Amendments. Except as stated within this section, this Agreement may be amended only by written Agreement signed by both Parties to this Agreement. The Parties agree to modify this Agreement as may be necessary due to changes to state and federal laws relating to the security and privacy of Protected Health Information.
- No Third-Party Beneficiaries; Ownership. This Agreement does not create any rights for any person or entity other than the Parties hereto and their respective successors or permitted assigns, any rights, remedies, obligations or liabilities whatsoever. GPM acquires no ownership rights or title to Protected Health Information.
- Interpretation. This Agreement shall be interpreted as broadly as necessary to implement and comply with the HIPAA Rules and any ambiguity shall be resolved in favor of the meaning that complies with the HIPAA Rules. If there is any conflict between a provision of this Agreement and a provision of the SAAS, this Agreement shall control. The SAAS otherwise remains in full force and effect.
- No Agency Relationship. No agency relationship is expressly or impliedly created by this Agreement.
- HIPAA Business Associate Compliance. As you are a Covered Entity (as defined by the HIPAA Rules) and GPM may create, receive, maintain, or transmit Electronic Protected Health Information (“EPHI”) or Personal Health Information (“PHI”) on your behalf, GPM is a Business Associate with regard to EPHI and PHI. As not all information received or maintained by GPM will be PHI or EPHI subject to the HIPAA Rules, this provision is only applicable regarding information that is received, maintained or created by GPM on behalf of a Covered Entity as defined by the HIPAA Rules and is PHI or EPHI but any information not protected by the HIPAA Business Associate Subcontractor Agreement set forth in Exhibit “A” will be protected by confidentiality provisions otherwise contained in this Agreement. With respect to any EPHI or PHI that GPM creates, receives, maintains or transmits on your behalf, the provisions of the HIPAA Business Associate Agreement, attached to this Agreement as Exhibit “A”, are incorporated herein and made part hereof as is set forth in length.
- General Provisions.
- GPM reserves all rights not expressly granted herein.
- GPM may modify this Agreement at any time by providing such revised Agreement to you or posting the revised Agreement on its website located at www.GPM.com. Your continued use of the GPM Software shall constitute your acceptance of such revised Agreement.
- You may not assign this Agreement or any rights hereunder.
- Nothing in this Agreement shall constitute a partnership or joint venture between you and GPM.
- Should any term or provision hereof be deemed invalid, void or unenforceable either in its entirety or in a particular application, the remainder of this Agreement shall nonetheless remain in full force and effect.
- The failure of GPM at any time or times to require performance of any provision hereof shall in no manner affect its right at a later time to enforce the same unless the same is waived in writing.
- This Agreement shall be governed by and construed in accordance with the laws of the United States of America and the Commonwealth of Pennsylvania without regard to their conflict of law rules.
- The parties agree that this Agreement shall be deemed to have been made and entered into in Northumberland County and the Commonwealth of Pennsylvania. The parties hereby waive any objections to the jurisdiction and venue of the courts in or for Northumberland County, Pennsylvania or the Federal District Court for the Middle District of Pennsylvania, including any objection to personal jurisdiction, venue, and/or forum non-conveniens, in any proceeding and by either party to enforce its rights under filed in or for Northumberland County, Pennsylvania or the Federal District Court for the Middle District of Pennsylvania. The parties agree not to object to any action filed by a party to remove any action filed by a party from a forum or court not located in Northumberland County, Pennsylvania or the Federal District Court for the Middle District of Pennsylvania. and you irrevocably consent to the jurisdiction of such courts.
- The terms set forth in this Agreement and any related service agreements constitute the final, complete and exclusive agreement with respect to the GPM Software and may not be contradicted, explained or supplemented by evidence of any prior agreement, any contemporaneous oral agreement or any consistent additional terms. GPM may at its sole discretion assign this Agreement to a subsidiary or sister company, without giving prior notice. YOU EXPRESSLY ACKNOWLEDGE THAT YOU HAVE READ THIS AGREEMENT AND UNDERSTAND THE RIGHTS, OBLIGATIONS, TERMS AND CONDITIONS SET FORTH HEREIN. BY CONTINUING TO INSTALL THE GPM SOFTWARE, YOU EXPRESSLY CONSENT TO BE BOUND BY ITS TERMS AND CONDITIONS AND GRANT TO GPM THE RIGHTS SET FORTH HEREIN.