SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement (this “BAA”) is entered into effective as of the last date signed (“Effective Date”) by and between the Customer (“Covered Entity”) as indicated the Nimblify Payments Agreement form and Nimblify, Inc. on behalf of itself and its affiliates (“Business Associate”) (each a “Party” and collectively, the “Parties”).
RECITALS
WHEREAS, Company is a “Business Associate” of Covered Entities, as those terms are defined under the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-91), as amended, (“HIPAA”), and the regulations promulgated thereunder by the Secretary of the U.S. Department of Health and Human Services (“Secretary”), including, without limitation, the regulations codified at 45 C.F.R. Parts 160 and 164 (“HIPAA Regulations”);
WHEREAS, in the performance of Business Associate functions or services on behalf of Covered Entities, Company subcontracts with certain other entities that perform Services for or on behalf of Company, and in performing said Services, create, receive, maintain, or transmit Protected Health Information (“PHI”). Such “Subcontractors” are defined as “Business Associates” of Company pursuant to HIPAA Regulations;
WHEREAS, the Parties intend to protect the privacy and provide for the security of PHI Disclosed by Company to Nimblify, or received or created by Nimblify, when providing Services in compliance with HIPAA, the Health Information Technology for Economic and Clinical Health Act (Public Law 111-005) (the “HITECH Act”) and its implementing regulations and guidance issued by the Secretary, and other applicable state and federal laws, all as amended from time to time; and
WHEREAS, Company is required under HIPAA to enter into a Business Associate Agreement with each Subcontractor that meets certain requirements with respect to the Use and Disclosure of PHI, which are met by this BAA.
NOW THEREFORE, in consideration of the Recitals and for other good and valuable consideration, the receipt and adequacy of which is hereby acknowledged, the Parties agree as follows:
AGREEMENT
In consideration of the recitals and for other good and valuable consideration, the receipt and adequacy of which is hereby acknowledged, the Parties agree as follows:
ARTICLE I – DEFINITIONS
The following terms shall have the meanings set forth below. Capitalized terms used in this BAA and not otherwise defined shall have the meanings ascribed to them in HIPAA, the HIPAA Regulations, or the HITECH Act, as applicable.
1.1 “Breach” shall have the meaning given under 45 C.F.R. § 164.402.
1.2 “Designated Record Set” shall have the meaning given such term under 45 C.F.R. § 164.501.
1.3 “Disclose” and “Disclosure” mean, with respect to PHI, the release, transfer, provision of access to, or divulging in any other manner of PHI outside of Nimblify or to other persons, other than members of its Workforce, as set forth in 45 C.F.R. § 160.103.
1.4 “Electronic PHI” or “e-PHI” means PHI that is transmitted or maintained in electronic media, as set forth in 45 C.F.R. § 160.103.
1.5 “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. Parts 160 and 164, Subparts A and E, as may be amended from time to time.
1.6 “Protected Health Information” and “PHI” mean any information, whether oral or recorded in any form or medium, that: (a) relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual, or the past, present or future payment for the provision of health care to an individual; (b) identifies the individual (or for which there is a reasonable basis for believing that the information can be used to identify the individual); and (c) shall have the meaning given to such term under the Privacy Rule at 45 C.F.R. § 160.103. Protected Health Information includes e-PHI.
1.7 “Subcontractor” shall have the meaning given to such term under 45 C.F.R. § 160.103.
1.8 “Security Incident” shall have the meaning given to such term under 45 C.F.R. § 164.304.
1.9 “Services” shall mean the services for or functions on behalf of Company performed by Nimblify pursuant to any service agreement(s) between Company and Nimblify which may be in effect now or from time to time (“Underlying Agreement”), or, if no such agreement is in effect, the services or functions performed by Nimblify that constitute a Business Associate relationship, as set forth in 45 C.F.R. § 160.103.
1.10“Unsecured PHI” shall have the meaning given to such term under 45 C.F.R. § 164.402.
1.11 “Use” or “Uses” mean, with respect to PHI, the sharing, employment, application, utilization, examination or analysis of such PHI within Nimblify’s internal operations, as set forth in 45 C.F.R. § 160.103.
1.12 “Workforce” shall have the meaning given to such term under 45 C.F.R. § 160.103.
ARTICLE II – OBLIGATIONS OF NIMBLIFY
2.1 Permitted Uses and Disclosures of Protected Health Information. Nimblify shall not Use or Disclose PHI other than for the purposes of performing the Services, as permitted or required by this BAA, or as Required by Law. Nimblify shall not Use or Disclose PHI in any manner that would constitute a violation of Subpart E of 45 C.F.R. Part 164 if so Used or Disclosed by Company. Without limiting the generality of the foregoing, Nimblify is permitted to (i) Use PHI for the proper management and administration of Nimblify; (ii) Use and Disclose PHI to carry out the legal responsibilities of Nimblify, provided that with respect to any such Disclosure either: (a) the Disclosure is Required by Law; or (b) Nimblify obtains reasonable assurances from the person to whom the PHI is to be Disclosed that such person will hold the PHI in confidence and will not Use and further Disclose such PHI except as Required by Law and for the purpose(s) for which it was Disclosed by Nimblify to such person, and that such person will notify Nimblify of any instances of which it is aware in which the confidentiality of the PHI has been breached; (iii) Use PHI for Data Aggregation purposes in connection with the Health Care Operations of Company; or (iv) Use PHI for purposes of de-identification of the PHI.
2.2 Adequate Safeguards of PHI. Nimblify shall implement and maintain appropriate safeguards and shall comply with the applicable requirements of Subpart C of 45 C.F.R. Part 164 to prevent Use or Disclosure of PHI other than as provided for by this BAA.
2.3 Reporting Security Incidents and Non-Permitted Use or Disclosures of PHI. Nimblify shall report to Company in writing any Use or Disclosure by Nimblify or its Subcontractors that is not specifically permitted by this BAA and each Security Incident, including Breaches of Unsecured PHI, within twenty (20) calendar days of becoming aware. Notwithstanding the foregoing, Nimblify and Company acknowledge the ongoing existence and occurrence of attempted but ineffective Security Incidents that are trivial in nature, such as pings and other broadcast service attacks, and Company acknowledges and agrees that this section shall constitute notice, and no additional notification to Company of such ineffective Security Incidents is required, as long as no such incident results in unauthorized access, Use or Disclosure of PHI. If Nimblify determines that a Breach of Unsecured PHI has occurred, Nimblify shall provide a written report to Company without unreasonable delay but no later than thirty (30) calendar days after discovery of the Breach. To the extent that information is available to Nimblify, Nimblify’s written report to Company shall be in accordance with 45 C.F.R. §164.410(c).
2.4 Use of Subcontractors. Nimblify shall require each of its Subcontractors that creates, maintains, receives, or transmits PHI on behalf of Nimblify, to execute a Nimblify Agreement that imposes on such Subcontractors substantially the same restrictions, conditions, and requirements that apply to Nimblify under this BAA with respect to PHI.
2.5 Access to Protected Health Information. To the extent that Nimblify maintains a Designated Record Set on behalf of Company, Nimblify shall make the PHI it maintains (or which is maintained by its Subcontractors) in Designated Record Sets available to Company for inspection and copying, or to an individual to enable Company to fulfill its obligations under 45 C.F.R. § 164.524.
2.6 Amendment of Protected Health Information. To the extent that Nimblify maintains a Designated Record Set on behalf of Company, Nimblify shall amend the PHI it maintains (or which is maintained by its Subcontractors) in Designated Record Sets to enable the Company to fulfill its obligations under 45 C.F.R. § 164.526.
2.7 Accounting. To the extent that Nimblify maintains a Designated Record Set on behalf of Company, within thirty (30) days of receipt of a request from Company or an individual for an accounting of disclosures of PHI, Nimblify and its Subcontractors shall make available to Company the information required to provide an accounting of disclosures to enable Company to fulfill its obligations under 45 C.F.R. § 164.528 and 42 U.S.C. § 17935(c).
2.8 Delegated Responsibilities. To the extent that Nimblify carries out one or more of Company’s obligations under Subpart E of 45 C.F.R. Part 164, Nimblify must comply with the requirements of Subpart E that apply to the Company in the performance of such obligations.
2.9 Availability of Internal Practices, Books, and Records to Government. Nimblify agrees to make its internal practices, books and records relating to the Use and Disclosure of Company’s PHI available to the Secretary for purposes of determining Company’s compliance with HIPAA, the HIPAA Regulations, and the HITECH Act.
ARTICLE III – TERM AND TERMINATION
3.1 Term. The term of this BAA shall be effective as of the Effective Date and shall terminate as of the date that all of the PHI provided by Company to Nimblify, or created or received by Nimblify on behalf of Company, is destroyed or returned to Company, or, if it is infeasible to return or destroy the PHI, protections of this BAA are extended to such information.
3.2 Termination for Cause. Upon Company’s knowledge of a material breach or violation of this BAA by Nimblify, Company shall notify Nimblify of the breach in writing, and provide an opportunity for Nimblify to cure the breach or end the violation within thirty (30) business days of such notification; provided that if Nimblify fails to cure the breach or end the violation within such time period, Company may immediately terminate this BAA upon written notice to Nimblify.
3.3 Disposition of Protected Health Information Upon Termination or Expiration.
(a) Upon termination or expiration of this BAA, Nimblify shall either return or destroy all PHI received from, or created or received by Nimblify on behalf of Company, that Nimblify still maintains in any form and retain no copies of such PHI.
(b) If return or destruction is not feasible, Nimblify shall continue to extend the protections of this BAA to the PHI for as long as Nimblify retains the PHI and limit further Uses and Disclosures of such PHI to those purposes that make the return or destruction of the PHI infeasible.
ARTICLE V – MISCELLANEOUS
4.1 Relationship to Underlying Agreement Provisions. In the event that a provision of this BAA is contrary to a provision of an Underlying Agreement, the provision of this BAA shall control. Otherwise, this BAA shall be construed under, and in accordance with, the terms of such Underlying Agreement, and shall be considered an amendment of and supplement to such Underlying Agreement, subject to Section 4.2 below.
4.2 Notices. Any notices required or permitted to be given hereunder by either Party to the other shall be given in writing: (1) by personal delivery; (2) by electronic mail or facsimile with confirmation sent by United States first class registered or certified mail, postage prepaid, return receipt requested; (3) by bonded courier or by a nationally recognized overnight delivery service; or (4) by United States first class registered or certified mail, postage prepaid, return receipt, in each case, addressed to a Party on the signature page(s) to this BAA or to such other addresses as the Parties may request in writing by notice given pursuant to this Section 4.2. Notices shall be deemed received on the earliest of personal delivery; upon delivery by electronic facsimile with confirmation from the transmitting machine that the transmission was completed; twenty-four (24) hours following deposit with a bonded courier or overnight delivery service; or seventy-two (72) hours following deposit in the U.S. mail as required herein.
|
Notice Address (Company): As listed on Nimblify |
Notice Address (Nimblify): Nimblify, Inc.
|
4.3 No Third Party Beneficiaries. Nothing expressed or implied in this BAA or the Underlying Agreement is intended to confer, nor will it confer, upon any person any rights, remedies, obligations or liabilities other than those explicitly detailed in this BAA or in the Agreement.
4.4 Relationship of Parties. Notwithstanding anything to the contrary in any Underlying Agreement, Nimblify is an independent contractor and not an agent of Company under this BAA. Nimblify has the sole right and obligation to supervise, manage, contract, direct, procure, perform or cause to be performed all Nimblify obligations under this BAA.
4.5 Amendment. To the extent applicable, amendments or modification to HIPAA or the HITECH Act may require amendments to certain provisions of this BAA. Amendments shall only be effective if executed in writing and signed by a duly authorized representative of each Party.
4.6 Entire Agreement. This BAA constitutes the entire agreement between the Parties, and supersedes all other agreements, express or implied, oral or written, between the Parties related to the subject matter of this BAA.
4.7 Interpretation. To the extent that the terms of this BAA are not clear in satisfying the Parties’ intention to comply with the applicable requirements of HIPAA, the HIPAA Regulations, and the HITECH Act, these BAA terms shall be construed so as to allow for compliance by both Parties with the applicable requirements of HIPAA, the HIPAA Regulations, and the HITECH Act.
4.8 LIMITATION OF LIABILITY. NEITHER PARTY SHALL BE LIABLE TO THE OTHER PARTY FOR ANY INCIDENTAL, CONSEQUENTIAL, SPECIAL, OR PUNITIVE DAMAGES OF ANY KIND OR NATURE, WHETHER SUCH LIABILITY IS ASSERTED ON THE BASIS OF CONTRACT, TORT (INCLUDING NEGLIGENCE OR STRICT LIABILITY), OR OTHERWISE, EVEN IF THE OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGES. IN ANY EVENT, EACH PARTY’S AGGREGATE LIABILITY TO THE OTHER PARTY FOR ALL DAMAGES OF EVERY KIND AND TYPE ARISING FROM THIS AGREEMENT SHALL NOT EXCEED THE TOTAL FEES COMPANY PAID NIMBLIFYUNDER THE APPLICABLE UNDERLYING AGREEMENT.
4.9 Counterparts. This BAA may be executed in separate counterparts, none of which need contain the signatures of both Parties, and each of which, when so executed, shall be deemed to be an original, and such counterparts shall together constitute and be one and the same instrument. The Parties further agree that facsimile signatures or signatures scanned into .pdf (or similar) format and sent by e-mail shall be deemed original signatures.
01062016