Business Associate Agreement Addendum
This Business Associate Agreement (“BAA”) is entered into by and between mdhub, Inc. (“mdhub”) and Provider as of the date of the last signature below. This BAA, pursuant to which mdhub is a Business Associate of Provider, is applicable only where Provider is a Covered Entity or a Business Associate and only when mdhub is acting as a Business Associate as defined in 45 CFR § 160.103.
The Parties have entered into one or more agreements, written or oral, pursuant to which mdhub performs functions or activities for, or provides services to, Provider that involve the use and disclosure of Protected Health Information (as defined below) (the “Agreement”).
1. Definitions.
Except as otherwise defined in this BAA, capitalized terms shall have the definitions
set forth in 45 CFR Part 160 and Part 164 (“HIPAA Rules”), as amended from time to time.
“Protected Health Information” and “PHI” shall have the same meaning as the term “protected health information” in 45 CFR § 160.103 of the HIPAA Rules, provided that it is limited to such protected health information that is received by mdhub from, or created, received, maintained, or transmitted by mdhub on behalf of Provider, through the use of the Services.
“Services” shall mean the services provided by mdhub to Provider pursuant to an Agreement.
“Unsuccessful Security Incidents” means, without limitation, pings and other broadcast attacks on mdhub’s firewall, port scans, unsuccessful log-on attempts, denial of service attacks, and any combination of the above, as long as no such incident results in unauthorized access, acquisition, use, or disclosure of PHI.
2. Use and Disclosure of PHI
a. mdhub will not use or disclose PHI in a manner other than as permitted or required by the Agreement, this BAA, or by law. mdhub may use PHI to create de-identified information in accordance with 45 C.F.R. §§ 164.502(d) and 164.514(a)-(c) and mdhub owns all such deidentified data.
b. Except as otherwise limited in this BAA, mdhub may use or disclose PHI as reasonably necessary to provide the Services to Provider and to undertake other activities permitted or required of mdhub by the Agreement or this BAA; provided that such use or disclosure would not violate the HIPAA Rules if done by Provider, unless expressly permitted by Section 2(c).
c. mdhub may use and disclose PHI in its possession for the proper management and administration of mdhub’s business and to carry out its legal responsibilities, provided that any such disclosure may only occur if (i) it is required by law; or (ii) mdhub obtains, in writing, prior to making any disclosure to a third party (1) reasonable assurances from this third party that the PHI will be held confidential as provided under this BAA and used or further disclosed only as required by law or for the purpose for which it was disclosed to this third party and (2) an agreement from this third party to notify mdhub of any breaches of the confidentiality of the PHI.
3. Safeguards
mdhub will use reasonable and appropriate safeguards to prevent the use or disclosure of PHI other than as provided by the Agreement or this BAA and mdhub agrees to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the electronic PHI that it creates, receives, maintains or transmits on behalf of Provider.
4. Reporting
mdhub shall report to Provider: (1) any use and/or disclosure of PHI that is not permitted or required by this BAA of which mdhub becomes aware; (2) any Security Incident affecting PHI of which it becomes aware, provided that notice is hereby deemed given for Unsuccessful SecurityIncidents and no further notice of such Unsuccessful Security Incidents shall be given; and/or (3) any breach of Provider’s unsecured PHI that mdhub may discover. Notification of a breach will be made without unreasonable delay. Notification(s) under this section, if any, will be delivered to Provider pursuant to the notice section of the Agreement.
5. Agreements with Subcontractors
mdhub shall require its subcontractors who create, receive, maintain, or transmit PHI on behalf of mdhub to agree in writing to (a) substantially the same or no less restrictive restrictions and conditions that apply to mdhub with respect to such PHI; (b) appropriately safeguard the PHI; and (c) comply with the applicable requirements of 45 CFR Part 164 Subpart C of the
Security Rule. mdhub remains responsible for its Subcontractors’ compliance with the obligations of this BAA.
6. Disclosure to the Secretary.
mdhub shall make available its internal practices, records, and books relating to the use and/or disclosure of PHI received from Provider to the Secretary of the Department of Health and Human Services for purposes of determining Provider’s compliance with HIPAA, subject to attorney-client and other applicable legal privileges.
7. Access to and Amendment of PHI.
To the extent that mdhub maintains PHI in a Designated Record Set, mdhub shall 1) provide access to such PHI to Provider in a time and manner that meets the requirements of 45 C.F.R. § 164.524 for Provider to respond to a request for access by a person who is the subject of the PHI; and 2) make available to Provider PHI held in a designated record set for amendment and incorporate any such amendment as directed by Provider to allow Provider to comply with 45 C.F.R. § 164.526.
8. Accounting of Disclosure.
mdhub shall document any and all disclosures of PHI by mdhub or its agents, including subcontractors, as well as any other information related to such disclosures of PHI that would be required for Provider to respond to an individual’s request for an accounting of disclosures in accordance with 45 C.F.R. § 164.528.
9. Performance of a Provider’s Obligations.
To the extent mdhub is to carry out a Provider obligation under the Privacy Rule, mdhub shall comply with the requirements of the Privacy Rule that apply to Provider in the performance of such obligation.
10. Responsibilities of Provider.
With regard to the use and/or disclosure of PHI by mdhub, Provider agrees (a) Provider shall not request mdhub to use or disclose PHI in any manner that would not be permissible under HIPAA if done by Provider (except to the extent permitted by HIPAA for a business associate), (b) Provider is responsible for implementing appropriate privacy and security safeguards to
protect its PHI in compliance with HIPAA; (c) Provider agrees to notify mdhub of any restrictions on uses and disclosures of PHI to which Provider agrees that will impact in any manner the use and/or disclosure of that PHI by mdhub under this BAA; (d) Provider agrees to notify mdhub of any changes in, or revocation of, permission by an individual to use or disclose PHI that will impact in any manner the use and/or disclosure of that PHI by mdhub under this BAA; and (e) if applicable, Provider agrees to notify mdhub of any changes in its Notice of Privacy Practices that will impact in any manner the use and/or
disclosure of PHI by mdhub under this BAA.
11. Term and Termination.
This BAA shall continue in effect until the earlier of (1) termination by a Party for breach as set forth in this BAA, or (2) expiration of the Agreement.
a. Upon written notice, either Party immediately may terminate the Agreement and this BAA if the other Party is in material breach or default of any obligation in this BAA. Either party may provide the other a thirty (30) calendar day period to cure a material breach or default within such written notice.
b. Upon expiration or termination of this BAA, mdhub shall return or destroy all PHI in its possession, if it is feasible to do so, and as set forth in the applicable termination provisions of the Agreement. If it is not feasible to return or destroy any portions of the PHI upon termination of this BAA, then mdhub shall extend the protections of this BAA, without limitation, to such PHI and limit any further use or disclosure of the PHI to those purposes that make the return or destruction infeasible for the duration of the retention of the PHI.
12. No Third Party Beneficiaries.
This BAA is between the parties hereto. Nothing express or implied in this BAA is intended to confer, nor shall anything herein confer, any rights, remedies, obligations, or liabilities whatsoever upon any person other than mdhub and Provider and any respective successors and assigns.
13. Miscellaneous.
a. Interpretation. The terms of this BAA shall prevail in the case of any conflict with the
terms of any Agreement to the extent necessary to allow Provider and mdhub to comply
with applicable provisions of HIPAA, the Privacy Rule, the Security Rule, or the Breach Notification Rule.
b. Privileges and Protections Not Waived. Nothing herein shall be construed as waiver of applicable legal or other privileges or protections held or enjoyed by either Party.
c. Amendment. This BAA shall not be amended except by the mutual written agreement of the Parties.
d. Assignment. Neither Party may assign any of its rights or obligations under this BAA without the prior written consent of the other Party.
e. Notice. Any notices required hereunder shall be given as set forth in the Agreement.
f. Counterparts. This BAA may be executed in any number of counterparts, each of which shall be deemed an original. Facsimile copies hereof shall be deemed to be originals.
g. Entire Agreement. This BAA constitutes the entire agreement of the Parties, superseding all prior oral and written agreements or understandings between them with respect to the matters provided for herein.
h. Independent Contractors. The Parties are and shall be independent contractors to one another, and nothing in this BAA shall be deemed to cause this BAA to create an agency, partnership, or joint venture between the Parties.