This Business Associate Agreement (“BAA”) is entered into between the health care provider organization that accepts it (the “Covered Entity”) and TRIJ Ventures, Inc. d/b/a Kronos Health, which operates the Aequitas legal and medical reporting platform (“Business Associate,” “Aequitas,” “we,” “us”). It applies to Protected Health Information that Business Associate creates, receives, maintains, or transmits on behalf of Covered Entity in connection with the Aequitas service. This BAA supplements and is incorporated into the Terms of Service.
The parties enter into this BAA to comply with the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, including the Privacy, Security, and Breach Notification Rules at 45 C.F.R. Parts 160 and 164, as amended by the HITECH Act (collectively, “HIPAA”).
1. Definitions
Capitalized terms used but not defined in this BAA have the meanings given to them in HIPAA. As used here, “Protected Health Information” or “PHI” means Protected Health Information, as defined in 45 C.F.R. § 160.103, that Business Associate creates, receives, maintains, or transmits for or on behalf of Covered Entity, and includes Electronic Protected Health Information (“ePHI”).
2. Permitted uses and disclosures
Business Associate may use and disclose PHI only as necessary to perform the services described in the Terms of Service, as permitted or required by this BAA, or as Required by Law. Business Associate may also use PHI for the proper management and administration of Business Associate, or to carry out its legal responsibilities, and may disclose PHI for those purposes only if the disclosure is Required by Law, or if Business Associate obtains reasonable assurances that the recipient will hold the PHI confidentially, use or further disclose it only as Required by Law or for the purpose for which it was disclosed, and notify Business Associate of any breach of confidentiality. Business Associate may de-identify PHI in accordance with 45 C.F.R. § 164.514, and may aggregate data as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B).
3. Obligations of Business Associate
Business Associate agrees to:
- Not use or disclose PHI other than as permitted or required by this BAA or as Required by Law;
- Use appropriate safeguards, and comply with Subpart C of 45 C.F.R. Part 164 (the Security Rule) with respect to ePHI, to prevent use or disclosure of PHI other than as provided for by this BAA;
- Report to Covered Entity any use or disclosure of PHI not provided for by this BAA of which it becomes aware, including Breaches of Unsecured PHI as required by 45 C.F.R. § 164.410, and any Security Incident of which it becomes aware, without unreasonable delay and in no case later than the timeframes required by HIPAA;
- In accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree in writing to restrictions and conditions at least as protective as those that apply to Business Associate;
- Make PHI available to Covered Entity as necessary to satisfy Covered Entity’s obligations to provide access under 45 C.F.R. § 164.524;
- Make PHI available for amendment, and incorporate any amendments to PHI, as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. § 164.526;
- Maintain and make available the information required to provide an accounting of disclosures as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. § 164.528;
- To the extent Business Associate is to carry out one or more of Covered Entity’s obligations under Subpart E of 45 C.F.R. Part 164, comply with the requirements of Subpart E that apply to Covered Entity in the performance of those obligations; and
- Make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of the U.S. Department of Health and Human Services for purposes of determining Covered Entity’s compliance with HIPAA.
4. Obligations of Covered Entity
Covered Entity shall notify Business Associate of any limitation(s) in its notice of privacy practices, of any changes in, or revocation of, an individual’s permission to use or disclose PHI, and of any restriction on the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 C.F.R. § 164.522, in each case to the extent that such limitation, change, revocation, or restriction may affect Business Associate’s use or disclosure of PHI. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA if done by Covered Entity, except as permitted under Section 2 above.
5. Term and termination
This BAA is effective as of the date Covered Entity accepts it and continues until all PHI is returned or destroyed, or protections are extended as set out below. Covered Entity may terminate this BAA and the services if it determines that Business Associate has violated a material term and Business Associate has not cured the breach within a reasonable period.
Upon termination, Business Associate shall, if feasible, return or destroy all PHI received from, or created, maintained, or received on behalf of, Covered Entity that Business Associate still maintains, and retain no copies. Where return or destruction is not feasible, Business Associate shall extend the protections of this BAA to such PHI and limit further uses and disclosures to those purposes that make return or destruction infeasible, for so long as Business Associate maintains the PHI.
6. Miscellaneous
A reference in this BAA to a section of HIPAA means the section as in effect or as amended. The parties agree to take such action as is necessary to amend this BAA from time to time as is necessary for compliance with HIPAA. Any ambiguity in this BAA shall be resolved to permit the parties to comply with HIPAA. Except as expressly stated here or as required by HIPAA, this BAA creates no rights in any third party. If any term conflicts with the Terms of Service, this BAA controls with respect to the subject matter of HIPAA. This BAA is governed by the laws of the State of New York, without regard to its conflict-of-laws rules, except to the extent preempted by federal law. The obligations of Business Associate under Section 5 survive termination of this BAA.
7. Electronic acceptance
This BAA is accepted electronically at account signup. By checking the acceptance box and typing their full legal name, the person accepting represents that they are authorized to bind the Covered Entity, and that acceptance constitutes an electronic signature under the federal ESIGN Act and applicable state law. Aequitas records the signatory’s name, the agreement version, and the date, time, and originating IP address of acceptance as evidence of execution. A practice administrator can retrieve their practice’s executed agreements from within the Aequitas application.
Questions about this BAA can be directed to aequitas@kronosgroup.health.