HealthJay Business Associate Agreement
Last updated November 9, 2020
This Business Associate Agreement (this “BAA”) is entered into by and between HealthJay Inc., (“HJI”) and (“Company”) pursuant to the HealthJay Order Form of even date herewith, HealthJay Standard Terms and Conditions and all other relevant agreements governing services to be provided to Company by HealthJay Inc. under common control with HealthJay, as subsequently amended from time to time (collectively, the "Agreement").
WHEREAS, under the Agreement, HJI may have access to and use of protected health information (“PHI”) of Company, which is governed by, and subject to, the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic Clinical Health Act of 2009, and the implementing regulations set forth at 45 CFR Parts 160 and 164, Subpart C (the “Security Rule”), Subpart D (the “Breach Notification Rule”), and Subpart E (the “Privacy Rule”) (collectively, the “HIPAA Rules”);
WHEREAS, HealthJay Inc. has appropriate inter-company services and data sharing and protection arrangements to enable social engagement network platform services to be provided to authorized healthcare partners;
WHEREAS, if in the course of providing services under the Agreement (the “Services”), HJI receives PHI as defined under the HIPAA Rules, then HJI will be deemed a Business Associate of Company and will comply with this BAA. Capitalized terms used in this BAA have the meanings given to them in the HIPAA Rules.
NOW THEREFORE, HealthJay and Company agree as follows:
Compliance with HIPAA Rules. HealthJay may use and disclose PHI received from Company to provide the Services contemplated by the Agreement. Except as expressly provided below, this BAA does not authorize HealthJay to make any use or disclosure of PHI that Company would not be permitted to make.
Obligations and Activities of HealthJay. HealthJay will perform the following specific duties in accordance with the HIPAA Rules:
a. Use and Disclosure. HealthJay will not use or further disclose PHI except as permitted by the Agreement, or as required by law.
b. Safeguards. HealthJay will use appropriate safeguards and comply with the Security Rule with respect to electronic PHI, to prevent use or disclosure of PHI other than as provided for by this BAA.
c. Minimum Necessary. HealthJay agrees to make reasonable efforts to limit the use and/or disclosure of PHI to the minimum amount of information necessary to accomplish the intended purpose of the use or disclosure.
d. Mitigation. HealthJay agrees to mitigate, to the extent reasonably practicable, any harmful effect known to HealthJay of a use or disclosure of PHI by HealthJay in violation of this BAA.
e. Subcontractors. HealthJay will ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of HealthJay agree to no less than the same restrictions, conditions, and requirements that apply to HealthJay with respect to such information.
f. Access to PHI. Because HealthJay does not maintain PHI in a Designated Record Set (which PHI is also separately held by Company), HealthJay is not required to provide an Individual access to PHI pursuant to 45 CFR §164.524. In the event HealthJay receives a request by an Individual for access to their PHI, HealthJay shall notify Company of such request.
g. Amendment of PHI. Upon request by Company pursuant to 45 CFR §164.526 to amend PHI regarding an Individual, HealthJay shall provide reasonable collaboration in relation to such amendment, to the extent HealthJay may use such PHI in providing the Services. HealthJay is not required to provide PHI to Company for amendment pursuant to 45 CFR §164.526.
h. Accountings. HealthJay will make available the information required to provide an accounting of disclosures by HealthJay, if any, to the extent required in accordance with 45 CFR §164.528 HealthJay will upon notice from Company on requests by Individuals for accounting of disclosures of PHI, collaborate with Company to the extent reasonably necessary to facilitate Company’s response to such requests, in compliance with 45 CFR §164.528. Nothing in this BAA shall require HealthJay to maintain or provide an access report of PHI unless such action is determined to be required by amendments to 45 C.F.R. § 164.528.
i. Books and Records. HealthJay will make available its internal practices, books, and records relating to the use and disclosure of PHI received from, or created by HealthJay on behalf of, Company to the Secretary of the Department of Health and Human Services for purposes of determining Company’s compliance with HIPAA Rules.
j. Reporting. HealthJay agrees to promptly report to Company any Security Incident or other use or disclosure of the PHI not permitted by this BAA of which it becomes aware. If HealthJay discovers that a Breach of Unsecured PHI has occurred, HealthJay shall promptly (but in no event later than thirty (30) days after it has knowledge that a Breach has occurred, unless sooner required under state law) notify the Company in accordance with the requirements of 45 CFR §164.410. The parties acknowledge and agree that this section constitutes notice by HealthJay to Company that attempted but unsuccessful security incidents, such as pings and other broadcast attacks on HealthJay’s firewall, port scans, unsuccessful logon attempts, denials of service and any combination of the above, regularly occur and that no further notice will be made by HealthJay so long as no such incident results in unauthorized access, use or disclosure of PHI.
k. Privacy Rule Obligations. To the extent HealthJay is to carry out one or more of Company’s obligations under the Privacy Rule, HealthJay shall comply with the applicable requirements of the Privacy Rule that apply to Company in the performance of such obligations.
3. Permitted Uses and Disclosures by HealthJay.
a. Uses and Disclosures. Except as otherwise expressly limited in this BAA, HealthJay may use and disclose PHI to perform functions, activities or services for, or on behalf of, Company and HealthJay, provided that such use or disclosure would not violate the HIPAA Rules if done by Company.
b. Management and Administration. Except as otherwise expressly limited in this BAA, HealthJay may use PHI for the proper management and administration of HealthJay or to carry out the legal responsibilities of HealthJay. Except as otherwise expressly limited in this BAA, HealthJay may disclose PHI for disclosures that are Required By Law, or if HealthJay obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person notifies the HealthJay of any instances of which it is aware in which the confidentiality of the information has been breached.
c. Data Aggregation. HealthJay may use and disclose PHI to provide Data Aggregation services to Company as permitted by 45 C.F.R. §164.504(e)(2)(i)(B).
d. De-Identified Information. HealthJay may use and disclose PHI received from Company that has been de-identified by HealthJay in accordance with 45 C.F.R. §164.514. HealthJay’s use and disclosure of such de-identified information will not be subject to the requirements set forth in this BAA.
4. Obligations of Company.
a. Restrictions on Uses or Disclosures. Company shall notify HealthJay of any restriction on the use or disclosure of PHI that Company has agreed to or is required to abide by under 45 C.F.R. §164.522, to the extent that such restriction affects HealthJay’s use or disclosure of PHI.
b. Requests for Uses or Disclosures. Company shall not request HealthJay to use or disclose PHI in any manner that would not be permissible under the Privacy Rule if done by Company.
5. Term and Termination.
a. Term. The term of this BAA shall commence on the Effective Date of the Agreement and shall terminate (i) upon termination or expiration of the Agreement, or (ii) upon termination as set forth in Section 5(b), whichever is earlier. Notwithstanding the foregoing, HealthJay may terminate this BAA for any reason, with or without cause, upon thirty (30) days’ notice to the Company and subject to the provisions of Section 5(c).
b. Termination. Upon thirty (30) days’ notice to the other party and for any reason, either party may terminate this BAA together with the Agreement. Upon either party’s (the “Non-Breaching Party”) knowledge of a material breach by the other party (the “Breaching Party”), the Non-Breaching Party may provide a reasonable opportunity for the Breaching Party to cure the material breach within a reasonable time, and if the Breaching Party does not cure the material breach within such time, the Non-Breaching Party may terminate this BAA. If the Breaching Party has breached a material term of this BAA and cure is not possible, the Non-Breaching Party may immediately terminate this BAA.
c. Effect of Termination. Upon termination of this BAA, for any reason, HealthJay shall return or destroy all PHI received from Company or created or received by HealthJay on behalf of Company. This provision shall also apply to PHI that is in the possession of subcontractors or agents of HealthJay. HealthJay shall retain no copies of the PHI. Notwithstanding the foregoing, in the event that HealthJay determines that returning or destroying the PHI is not feasible, HealthJay shall extend the protections of this BAA to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction not feasible, for so long as HealthJay maintains such PHI.
a. Regulatory References; Interpretation. A reference in this BAA to a section in the HIPAA Rules means the section as in effect or as amended from time to time, and for which compliance is required. Any ambiguity in this BAA shall be resolved to permit compliance with the HIPAA Rules.
b. Primacy. To the extent that any provisions of this BAA conflict with the provisions of any other agreement or understanding between the parties, this BAA shall control with respect to the subject matter of this BAA.
c. Amendments; Waiver. This BAA may not be modified, nor shall any provision be waived or amended, except in writing duly signed by the parties. A waiver with respect to one event shall not be construed as continuing, or as a bar to or waiver of any right or remedy as to subsequent events. The parties will amend this BAA from time to time as necessary to comply with changes to the HIPAA Rules.
d. Assignment. Neither party shall assign this BAA without the prior written consent of the other party, except that the parties agree that HealthJay may, in its sole discretion, assign this BAA to any affiliate, subsidiary, or in the event of a public offering, merger or sale of all or substantially all of its assets, and, in such instance, the BAA shall continue in full force and effect without any further action of the parties.
e. Notices. Any notices required hereunder shall be provided pursuant to the notice provision in the Agreement.
f. Survival. The respective rights and obligations of the parties shall survive the termination of this BAA.
g. No Third Party Beneficiaries. Nothing express or implied in this BAA is intended or shall be deemed to confer upon any person other than Company, HealthJay, and their respective successors and assigns, any rights, obligations, remedies or liabilities.
h. Independent Contractors. No provision of this BAA is intended to create, nor shall be deemed or construed to create, any employment, agency or joint venture relationship between Company and HealthJay other than that of independent entities contracting with each other hereunder solely for the purpose of effectuating the provisions of this BAA. The parties have reviewed the factors to determine whether an agency relationship exists under the federal common law of agency and it is not the intention of either Company or HealthJay that HealthJay constitute an “agent” under such common law.
i. Governing Law. This BAA shall be governed by, and construed in accordance with, the laws of the State of California, exclusive of conflict of law rules. Each party hereby agrees and consents that any legal action or proceeding with respect to this BAA shall only be brought in the courts of the State of California and the county of Santa Clara.
j. Entire Agreement. The Agreement together with this BAA constitutes the entire agreement between the parties with respect to the subject matter contained herein.