ImageAssist Logo
Log inGet Started

BUSINESS ASSOCIATE AGREEMENT

You or the Client or Customer, whichever is applicable (“Client”) are/is a Covered Entity (or is a Business Associate to one or more Covered Entities) pursuant to the Health Insurance Portability and Accountability Act of 1996, the Health Information Technology for Economic and Clinical Health Act (commonly referred to as the “HITECH Act”), and the regulations promulgated under the foregoing from time to time by the United States Department of Health and Human Services (collectively, as amended from time to time, “HIPAA”). Client and Company have entered into the Terms of Service[a] to which this BAA is incorporated by reference (the “Agreement”) pursuant to which Company will provide the Platform to Client (the “Services”), and in the course of providing the Services, Client may make available to Company or have Company obtain or create on its behalf information that may be deemed Protected Health Information subject to the provisions of HIPAA and information subject to protection under other federal or state laws.

In order to comply with the applicable provisions of HIPAA and other federal or state laws as applicable, the parties agree to this Business Associate Agreement (“BAA”) as follows:

  1. Definitions. 
  1. Capitalized terms used but not otherwise defined in this BAA or Agreement shall have the meanings ascribed in HIPAA (whether or not such terms are capitalized therein).  
  2. “Effective Date” means the date Client created an account via Registration that indicates PHI will be provided to Company.
  3. “Electronic PHI” means PHI that is Electronic Protected Health Information.
  4. “PHI” means Protected Health Information received or accessed by Company from or on behalf of Client or created, transmitted, or maintained by Company for or on behalf of Client.
  1. Permitted Uses.  Company may use PHI only as permitted or required by this BAA and only for the following purposes:
  1. as necessary to perform the Services;
  2. to carry out its legal responsibilities;
  3. for the proper business management and administration of Company;
  4. to de-identify PHI in accordance with the standards set forth under HIPAA and to use and disclose such de-identified data unless prohibited by applicable law;
  5. to provide Data Aggregation services relating to the Health Care Operations of Client; and
  6. as Required by Law.
  1. Permitted Disclosures.  Company may disclose PHI only as permitted or required by this BAA for the following purposes:
  1. as necessary to perform the Services and as permitted or required by the Agreement;
  2. for the proper business management and administration of Company or to carry out its legal responsibilities, if Required By Law, or if Company has obtained reasonable assurances that the recipient will (i) hold such PHI in confidence, (ii) use or further disclose it only for the purpose for which it was received or as Required By Law, and (iii) notify Company of any instance of which the recipient becomes aware in which the confidentiality of such PHI has been breached; and
  3. as otherwise Required by Law.
  1. Prohibited Uses and Disclosures. 
  1. Subject to Client’s compliance with its obligations set forth in Section 16 as applicable, Company shall not use or further disclose PHI in a manner that would violate HIPAA if done by Client.
  2. If Client notifies Company that Client has agreed to be bound by additional restrictions on the uses or disclosures of PHI pursuant to Section 16, Company shall be bound by such additional restrictions and shall not use or disclose PHI in violation of such additional restrictions.
  1. Subcontractors and Agents.  Any disclosure to a Subcontractor of Company shall be pursuant to a written agreement between Company and such Subcontractor containing substantially the same restrictions and conditions on the use and disclosure of PHI as are set forth in this BAA.
  2. Minimum Necessary.  Client shall only provide and Company shall only request, access, use, and disclose only the minimum amount of PHI necessary, in accordance with HIPAA, to perform the Services.
  3. Certain Privacy Rule Compliance.  To the extent that Company expressly agrees to carry out one or more of Client’s obligations under Subpart E of Part 164 of HIPAA (generally known as the HIPAA Privacy Rule), Company shall comply with such requirements that apply to Client in the performance of such obligations.
  4. Safeguards.  Company at all times shall maintain administrative, physical, and technical safeguards designed to reasonably and appropriately protect the confidentiality, availability, and integrity of Electronic PHI that it creates, receives, maintains, or transmits in accordance with the regulations set forth at 45 CFR § 164.308, 45 CFR § 164.310, and 45 CFR § 164.312, and shall maintain policies and procedures and other documentation in accordance with the regulations set forth at 45 CFR § 164.316.  Company acknowledges that such provisions apply to Company in the same manner that they apply to Covered Entities.
  5. Breach Investigation and Reporting.
  1. As soon as practicable following any actual or reasonably suspected use or disclosure of PHI in a manner not permitted under HIPAA, Company shall assess whether such actual or suspected impermissible use or disclosure was of PHI that is Unsecured Protected Health Information and, if so (or if Company cannot determine reasonably conclusively to the contrary), Company shall make an evaluation of whether there is a low probability that the PHI has been compromised.  In making such evaluation, Company shall conduct a risk assessment that considers, at a minimum, (i) the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification, (ii) the unauthorized person who used the PHI or to whom the disclosure was made, (iii) whether the PHI was actually acquired or viewed, and (iv) the extent to which the risk to the PHI has been mitigated, and Company shall evaluate the overall possibility that the PHI has been compromised by considering all of the above, and any other relevant factors, in combination.
  2. If pursuant to the evaluation described in Section (a), Company reasonably determines that such impermissible use or disclosure constitutes a Breach of PHI that is Unsecured Protected Health Information, Company shall provide Client in writing, without unreasonable delay but in no case later than 14 days following such determination, written notice setting forth the date of discovery thereof, the identities of affected individuals (or, if such identities are unknown at that time, the classes of such individuals), a general description of the nature of the incident, and such other information as is required pursuant to HIPAA or reasonably requested by Client.  Company shall supplement such notice with information not available at the time of the initial notification as promptly thereafter as the information becomes available to Company.
  3. For purposes hereof, an impermissible use or disclosure shall be deemed discovered by Company as of the first day on which such impermissible use or disclosure is known to Company or, by exercising reasonable diligence, would have been known to Company, and Company shall be deemed to have knowledge of an impermissible use or disclosure if such impermissible use or disclosure is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the impermissible use or disclosure, who is a Workforce member of Company or an agent of Company (determined in accordance with the federal common law of agency).
  1. Security Incident Reporting. Company shall report to Client in writing any Security Incident involving Electronic PHI, other than a Security Incident that involves an actual or suspected impermissible use or disclosure of PHI, within 30 days of Company’s discovery thereof.  The parties acknowledge and agree that this section constitutes notice by Company to Client of the ongoing occurrence of events that may constitute Security Incidents but that are trivial, routine, do not constitute a material threat to the security of PHI, and do not result in unauthorized access to or use or disclosure of PHI (such as typical pings and port scans) for which no additional notice to Client shall be required.
  2. Mitigation.  To the extent possible, Company shall establish reasonable procedures to mitigate, to the extent practicable, any harmful effect of any Breach or impermissible use or disclosure of PHI in violation of the terms and conditions of this BAA or applicable law.
  3. Access and Amendment.  With respect to an Individual as to whom Company maintains PHI, Company shall notify Client promptly upon receipt of a request from such an Individual for access to or a copy of such Individual’s PHI or to amend such Individual’s PHI.  To the extent permitted under HIPAA, and except as otherwise required upon the order of a court of competent jurisdiction, (a) Company shall direct such Individual to make such request of Client and (b) Company shall not consent to such access, deliver such copy, or comply with such request except as directed by Client.  With respect to PHI maintained by Company in a Designated Record Set, to the extent required by HIPAA of a Covered Entity, Company shall (i) make available PHI to Individuals or Client, as reasonably requested by Client and in accordance with HIPAA, and (ii) upon receipt of notice from Client, promptly amend any portion of the PHI so that Client may meet its amendment obligations under HIPAA.
  4. Accounting for Disclosures.  Company shall document all disclosures of PHI by Company and information related to such disclosures as would be required for Client to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with HIPAA.  Company shall maintain such information for the applicable period set forth in HIPAA.  Company shall deliver such information to Client or, upon Client’s request, to the Individual, in the time and manner reasonably designated by Client, in order for Client to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with HIPAA.  The obligations set forth in this section shall survive the expiration or any termination of this BAA and shall continue, as to a given instance of a disclosure, until the earlier of (a) the passing of the time required for such information to be maintained pursuant to HIPAA or (b) the delivery to Client of all such information in a form and medium reasonably satisfactory to Client and the return or destruction of all PHI as provided in this BAA.
  5. Audit.  If Company receives a request, made on behalf of the Secretary of the Department of Health and Human Services, that Company make its internal practices, books, and records relating to the use or disclosure of PHI available to the Secretary of the Department of Health and Human Services for the purposes of determining Client’s or Company’s compliance with HIPAA, Company promptly shall notify Client of such request and, unless enjoined from doing so by order of a court of competent jurisdiction in response to a challenge raised by Client or Company (which challenge Company shall not be obligated to raise), Company shall comply with such request to the extent required of it by applicable law.  Nothing in this BAA shall waive any attorney-client privilege or other privilege applicable to either party.
  6. Compliance with Law. Each party shall comply with all applicable federal and state laws regarding individually identifiable information contained in or associated with PHI, including without limitation any state data breach laws or other state laws regarding the protection of such information.  Nothing in this BAA shall be construed to require Company to use or disclose PHI without a written authorization from an Individual who is the subject thereof, or written authorization from any other person, where such authorization would be required under federal or state law for such use or disclosure.
  7. Obligations of Client.  Client shall (a) promptly notify Company of any limitation in Client’s Notice of Privacy Practices to the extent that such limitation may affect Company's use or disclosure of PHI, (b) promptly notify Company of any changes in, or revocation of, permission by an Individual to use or disclose PHI, to the extent that such change may affect Company’s use or disclosure of PHI, (c) promptly notify Company of any restriction on the use or disclosure of PHI to which Client has agreed in accordance with HIPAA, to the extent that such restriction may affect Company's use or disclosure of PHI, and (d) obtain any authorization, permission or consents (“Consents”) as may be required by applicable federal and state law for any of the uses or disclosures of PHI or to perform the Services. Client represents and warrants that (i) its Notice of Privacy Practices permits Company to use and, disclose PHI and to perform the Services in the manner that Company is authorized to use and disclose PHI under this BAA; and (ii) it has obtained and maintains all Consents required by law. Company may rely upon all configuration requests, parameters, consent tracking guidelines, and other such instructions provided by Client, and provide the Services accordingly. Client assumes sole responsibility for any liabilities or claims arising out of or relating to such instructions and shall indemnify Company for any such claims.
  8. Term and Termination.  This BAA shall become effective on the Effective Date and shall continue in effect until the earlier to occur of (a) the expiration or termination of the Agreement or (b) termination pursuant to this section. Either party may terminate this BAA and the Agreement effective immediately if it determines that the other party has breached a material provision of this BAA and failed to cure such breach within 30 days of being notified by the other party of the breach.  If the non-breaching party reasonably determines that cure is not possible, such party may terminate this BAA and the Agreement effective immediately upon written notice to other party.
  9. Effect of Termination.  Upon termination of the Agreement, subject to any applicable provisions of the Agreement, Company shall return to Client or destroy all PHI that Company maintains in any form and retain no copies of such PHI or, if return or destruction is not feasible (including without limitation if Company is required by applicable law to retain any such PHI for a time following termination), notify Client thereof and extend the protections of this BAA to the PHI and limit its further use or disclosure to those purposes that make the return or destruction of the PHI infeasible.  The requirements of this section shall survive termination or expiration of this BAA and shall be in force as long as any PHI remains in the custody or control of Company.
  10. Miscellaneous.
  1. Notices.  Except as otherwise provided in this BAA, notices and reports given under this BAA shall be in writing and sent to Company to the parties at the addresses set forth in the Agreement.  Such notices shall be deemed delivered (i) when personally delivered, (ii) on the third business day after deposit, properly addressed and postage pre-paid, when sent by certified or registered U.S. mail to the address provided herein, or (iii) on the next business day when sent with next-business-day instruction by recognized overnight document delivery service to the address provided herein.
  2. Nature of Relationship. Company shall perform all Services hereunder as an independent contractor to Client, and nothing contained herein shall be deemed to create any agency or other relationship between the parties or any of their affiliates.  Neither party shall have the right, power, or authority under this BAA to create any duty or obligation on behalf of the other party.
  3. Applicability. This BAA applies to the extent Client is a Covered Entity or a Business Associate, transmits or discloses PHI via the Platform, and Client indicates PHI will be provided during Registration.
  4. Waiver. A waiver with respect to one event shall not be construed as continuing, or as a bar to or waiver of, any right or remedy as to subsequent events.
  5. Severability. If any one or more of the provisions of this BAA should be ruled wholly or partly invalid or unenforceable by a court or other government body of competent jurisdiction, then (i) the validity and enforceability of all provisions of this BAA not ruled to be invalid or unenforceable will be unaffected, (ii) the effect of the ruling will be limited to the jurisdiction of the court or other government body making the ruling, (iii) the provision(s) held wholly or partly invalid or unenforceable would be deemed amended, and the court or other government body is authorized to reform the provision(s), to the minimum extent necessary to render them valid and enforceable in conformity with the parties’ intent as manifested herein, and (iv) if the ruling, and/or the controlling principle of law or equity leading to the ruling, subsequently is overruled, modified, or amended by legislative, judicial or administrative action, then the provision(s) in question as originally set forth in this BAA will be deemed valid and enforceable to the maximum extent permitted by the new controlling principle of law or equity.
  6. Entire Agreement. This BAA, together with the Agreement, constitutes the entire agreement between the parties concerning the subject matter hereof.  No prior or contemporaneous representations, inducements, promises, or agreements, oral or otherwise, between the parties with reference thereto will be of any force or effect.  Each party represents and warrants that, in entering into and performing its obligations under this BAA, it does not and will not rely on any promise, inducement, or representation allegedly made by or on behalf of the other party with respect to the subject matter hereof, nor on any course of dealing or custom and usage in the trade, except as such promise, inducement, or representation may be expressly set forth herein.
  7. Amendments. This BAA may not be modified, nor shall any provision hereof be waived or amended, except in a writing duly signed by authorized representatives of the parties.
  8. No Third-Party Beneficiaries. No provision of this BAA is intended to confer, nor shall anything herein confer, upon any person other than the parties and the respective successors or assigns of the parties, any rights, remedies, obligations, or liabilities whatsoever, and any implication to the contrary is expressly disclaimed by each party.
  9. Headings; Interpretation. The headings of the sections used in this BAA are included for convenience only and are not to be used in construing or interpreting this BAA.  In the event of a conflict between the provisions of this BAA and any provisions of the Agreement, the provisions of this BAA shall control, except to the extent this BAA is superseded in its entirety as set forth in Section 12(c) of the Agreement.  In the event of an inconsistency between the provisions of this BAA and mandatory provisions of HIPAA, as amended, or its interpretation by any court or regulatory agency with authority over either party hereto, HIPAA (interpreted by such court or agency, if applicable) shall control.  Where provisions of this BAA are different from those mandated under HIPAA but are nonetheless permitted by such rules as interpreted by relevant courts or agencies, the provisions of this BAA shall control.

Terms of Service