This page serves as an example of what a blank BAA with SecureVideo includes.
This Business Associate Addendum (this “BAA”) is an addendum to the existing agreement and/or terms of service between _____________________________________________ (“Covered Entity”) and Dura SV, LLC a Texas limited liability company dba as SecureVideo (“Business Associate”) (the “Services Agreement”) dated _____________.
A. This BAA to intended to comply with the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act of 2009, and their respective implementing regulations, including the Privacy Standards adopted by the U.S. Department of Health and Human Services as they may be amended from time to time, 45 C.F.R. parts 160 and 164, subparts A and E (the “Privacy Rule”), the Security Standards adopted by the U.S. Department of Health and Human Services as they may be amended from time to time, 45 C.F.R. parts 160, 162 and 164, subpart C (the “Security Rule”), and the Breach Notification Standards adopted by the U.S. Department of Health and Human Services, as they may be amended from time to time, at 45 C.F.R. part 164, subpart D (the “Breach Notification Rule”) (collectively, “HIPAA”).
B. This BAA applies to services provided by Business Associate as a Business Associate or Subcontractor Business Associate to Covered Entity, as a Covered Entity or a Business Associate, pursuant to the Services Agreement (the “Services”).
1. Defined Terms and Applicability.
Terms that are defined in HIPAA and used in this BAA have the meanings given in HIPAA unless otherwise defined. As used in this BAA, “PHI” refers to ePHI that Business Associate receives, transmits, maintains, processes, accesses, uses, or discloses as part of providing Services. Unless otherwise stated, all references to a “Section” refer to a Section of Title 45 of the U.S. Code of Federal Regulations.
2. Permitted Use and Disclosure of PHI
Business Associate may use and disclose PHI only to provide the Services, as expressly permitted or required by this BAA or the Services Agreement, or as required by law.
Business Associate may use and disclose PHI if necessary for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate, provided that any disclosure of PHI must be either (i) required by law, or (ii) made to a person who has signed an agreement stating that the PHI will be held in confidence and used or further disclosed only as required by law, or for the purposes for which it was disclosed to that person.
Business Associate shall use reasonable and appropriate safeguards to prevent unauthorized use or disclosure of PHI and to comply with the applicable requirements of the Security Rule.
Business Associate shall require any subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate to agree to materially the same restrictions and conditions that apply to Business Associate under this BAA. Business Associate shall use subcontractors only as expressly permitted by the Services Agreement.
5. Individual Requests and Accounting of Disclosures
Covered Entity acknowledges that the Services do not involve Business Associate maintaining PHI in a designated record set. However, Business Associate agrees that if and to the extent it maintains PHI in a designated record set, it shall do each of the following to enable Covered Entity to timely comply with Covered Entity’s obligations under Sections 164.524 and 164.526:
(i) give Covered Entity access to the PHI maintained in the designated record set within ten (10) business days of receipt of Covered Entity’s request; and
(ii) make the designated record set available to Covered Entity for amendment or incorporate any amendment to the PHI as directed by Covered Entity, within ten (10) business days of receipt of Covered Entity’s request.
Business Associate shall maintain the information necessary to provide an accounting of disclosures under Section 164.528 for at least the time periods required by the Privacy Rule, and provide Covered Entity with that information no later than twenty (20) business days of receipt of Covered Entity’s request.
6. Compliance with Privacy Rule
To the extent Business Associate is to carry out Covered Entity’s obligations under the Privacy Rule, Business Associate shall comply with the requirements of the Privacy Rule that apply to the Covered Entity in the performance of such obligations. Covered Entity shall give Business Associate timely notice of each of the following if and to the extent it changes Business Associate’s use or disclosure of the PHI under this Section: (i) changes to or withdrawal of an individual’s authorization required under Section 164.508; and (ii) restrictions to the use or disclosure of PHI agreed by Covered Entity. Business Associate shall comply with the change or withdrawal described in the notice except to the extent it has used or disclosed the PHI in reliance on the authorization prior to the notice, or as otherwise required by law.
7. Business Associate Books and Records
Business Associate shall make available its internal practices, books, and records relating to the use and disclosure of PHI received from Covered Entity, or created or received by the Business Associate on Covered Entity’s behalf, to the Secretary for purposes of determining Business Associate’s and Covered Entity’s compliance with HIPAA and this BAA.
8. Term and Termination
8.1 Term. This BAA is effective as of the later of the Effective Date stated below, or the first day that Business Associates creates, receives, maintains or transmits PHI on Covered Entity’s behalf. This BAA terminates on expiration or earlier termination of the Services Agreement, except to the extent expressly provided in Subsection 8.3 (Destruction, Return of PHI).
8.2 Termination for Violation. Covered Entity may terminate this BAA if Covered Entity determines that Business Associate has violated a material term of this BAA. Covered Entity shall terminate this BAA in accordance with the termination provisions of the Services Agreement, provided that Covered Entity is not required to give BAA an opportunity to cure the violation.
8.3 Destruction, Return of PHI. On termination of the BAA or the Services Agreement, whichever occurs first, Business Associate shall return or destroy all PHI received from, or created or received by Business Associate on Covered Entity’s behalf, and retain no copies, or, if such destruction is not feasible, extend the protections of this BAA to the PHI and limit further uses or disclosures to those purposes that make the return or the destruction of the information infeasible.
9. Covered Entity Obligations
Covered Entity shall disclose to Business Associate only the minimum necessary PHI for Business Associate to perform the Services. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity, and Business Associate is not required to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity. Covered Entity shall use encryption or other security features supported or made available by Business Associate to protect the PHI.
10.1 Notices of Security Incidents. Business Associate will notify Covered Entity of any successful security incidents involving PHI of which Business Associate becomes aware without unreasonable delay and in all events within the time required by the Breach Notification Rule for a breach of unsecured protected health information. Business Associate shall report to Covered Entity any unsuccessful security incidents on a quarterly basis, provided that Business Associate hereby notifies Covered Entity, and no further notice shall be required, that there may be routine unsuccessful security incidents, such as pings, port scans, unsuccessful log-on attempts, denials of service, and events of similar magnitude.
10.2 Notice of Breach of Unsecured PHI. Business Associate will include in its notice of any Unsecured PHI the information available to it regarding the breach that is necessary for Covered Entity to meet Covered Entity’s reporting obligations under the HIPAA Regulations and will provide additional information as required by the HIPAA Regulation as it becomes available to it.
10.3 Breach Mitigation. Business Associate shall take reasonable steps, in cooperation with Covered Entity, to mitigate any breach, provided that Covered Entity shall be responsible for giving notices as required by Sections 164.404, 164.406, and 164.408. Business Associate shall bear the reasonable cost of giving notices, and other reasonable steps to mitigate a breach to the extent the breach resulted from Business Associate’s violation of the BAA. Otherwise Covered Entity shall be responsible for the costs of notices and other mitigating steps, and shall promptly reimburse Business Associate for its reasonable out-of-pocket expenses incurred to cooperate with Covered Entity’s mitigation efforts.
10.4 Law Enforcement Delay. Notwithstanding anything to the contrary in this BAA or the Services Agreement, Business Associate may delay notifications under this Section as permitted under Section 164.41 (Law Enforcement Delay).
11.1 Notices. Notices under this BAA must be given in writing by electronic mail. Notices to Business Associate must be given at firstname.lastname@example.org. Notices to Covered Entity must be given at the email address for the primary account contact on Business Associate’s account records on the date of the notice. Notices are deemed given and received on the date transmitted via electronic mail, or if that day is not a business day, on the first business day that follows the transmission of the notice.
11.2 Amendments. This BAA may not be modified except by formal written amendment signed by the parties. The parties agree to amend this BAA from time to time as necessary to comply with changes to HIPAA.
11.3 Assignment of Rights and Delegation of Duties. This BAA is binding upon and inures to the benefit of the parties’ successors and permitted assigns. Neither party may assign this BAA except in connection with an assignment of the Services Agreement that is expressly permitted by the Services Agreement.
11.4 No Agency. Business Associate is not Covered Entity’s agent. Nothing in this BAA is intended to create (i) a partnership, joint venture or other joint business relationship between the parties or any of their affiliates, (ii) any fiduciary duty from one party to the other or any of its affiliates, or (iii) a relationship of employer and employee.
11.5 No Waiver. No right or remedy arising in connection with this BAA is waived by a course of dealing between the parties, or a party’s delay in exercising the right or remedy. A party may waive a right or remedy only by signing a written document that expressly identifies the right or remedy waived. Unless expressly stated in the waiver, a waiver of any right or remedy on one occasion is not a waiver of that right or remedy on any other occasion, or a waiver of any other right or remedy.
11.6 Severability. In the event one or more of the terms of this BAA are adjudicated invalid, illegal, or unenforceable, the adjudicating body may either interpret this BAA as if such terms had not been included, or may reform such terms to the limited extent necessary to make them valid, legal or enforceable, consistent with the regulatory requirements underlying this BAA and the economic incentives underlying the Services Agreement.
11.7 No Third Party Beneficiaries. There are no third party beneficiaries of this BAA, and nothing in this BAA is intended to confer any right or benefit on a person not party to this BAA or impose any obligation on either party to any person who is not a party to this BAA.
11.8 Interpretations. The descriptive headings of this BAA are inserted for convenience only, do not constitute a part of this BAA and shall not affect in any way the meaning or interpretation of this BAA. Any ambiguity in this BAA shall be resolved in favor of a meaning that permits the Parties to comply with the HIPAA Rules.
11.9 Entire Agreement. This BAA constitutes the entire agreement between the parties with respect to the subject matter of this BAA and entirely supersedes any previous or contemporaneous agreements or understandings, whether written or oral, between the parties with respect to the subject matter of this BAA. If there is a conflict between this BAA and the Services Agreement, the BAA shall control.