Business Associate Agreement
This Business Associate Agreement ("BAA") is between Neolth Inc. ("Neolth" or "Business Associate") and the health care professional or other authorized professional accessing a Neolth user’s information via the website https://www.neolth.com/ or related subdomains ("you" or "Covered Entity") (each a "Party" and collectively the "Parties"). This BAA only applies to the extent that Neolth creates, receives, maintains or transmits PHI on behalf of Covered Entity acting in its capacity as a “Business Associate” as such term is defined under 45 C.F.R. § 160.103.
You and Neolth have entered into the Neolth Terms of Service located at https://www.neolth.com/terms-of-service or any successor URL (the “Terms”) pursuant to which Neolth provides certain services, including, but not limited to, access to the Neolth platform for personalized stress management that enables you to monitor your patients (the “Services”).
To the extent that you wish to disclose Protected Health Information to Neolth pursuant to the Terms in order for Neolth to provide the Services, and to the extent Neolth is acting as a “Business Associate” on your behalf, you and Neolth shall enter into this BAA to establish the Parties’ obligations to protect the privacy and provide for the security of PHI disclosed to Neolth to provide the Services in compliance with HIPAA (as defined below).
1 DEFINITIONS
1.1 Capitalized Terms. Capitalized terms used in this BAA and not otherwise defined herein shall have the meanings set forth in the HIPAA Rules, which definitions are incorporated in this BAA by reference.
1.2 “HIPAA” means the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act of 2009, and all implementing regulations, including, but not limited to, the “Privacy Rule”, “Security Rule” and the “Breach Notification Rule”, 45 C.F.R. Parts 160 and 164 (collectively the “HIPAA Rules”), as the same may be amended from time to time, and other applicable laws.
1.3 “Protected Health Information” or “PHI” shall have the same meaning given to such term in 45 C.F.R. § 160.103, as applied to the information created, received, maintained or transmitted by Neolth from or on behalf of Covered Entity.
1.4 “Unsuccessful Security Incident” shall mean pings and other broadcast attacks on a firewall, port scans, unsuccessful log-on attempts, denials of service, or other similar attempted but unsuccessful Security Incident, or a combination thereof, so long as no such incident results in unauthorized access, use or disclosure of PHI.
2 PERMITTED USES AND DISCLOSURES OF PHI
2.1 Uses and Disclosures of PHI by Neolth. Neolth shall not use or disclose PHI other than as permitted or required to provide the Services to Covered Entity, or as Required by Law, provided that such use or disclosure would not violate the Privacy Rule if done by Covered Entity, except as otherwise permitted in this BAA. To the extent Neolth is carrying out any of Covered Entity’s obligations under the Privacy Rule pursuant to the Terms or this BAA, Neolth shall comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of such obligation(s).
2.2 Permitted Uses of PHI by Neolth. Except as otherwise limited in this BAA, Neolth may use PHI for the proper management and administration of Neolth or to carry out the legal responsibilities of Neolth.
2.3 Permitted Disclosures of PHI by Neolth. Except as otherwise limited in this BAA, Neolth may disclose PHI for the proper management and administration of Neolth, provided that the disclosures are Required by Law, or Neolth obtains reasonable assurances from the person to whom the information is disclosed that it shall remain confidential and will be used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person (which purpose must be consistent with the limitations imposed upon Neolth pursuant to this BAA), and that the person agrees to notify Neolth of any instances of which it is aware in which the confidentiality of the information has been breached. Neolth may disclose PHI to report violations of law to appropriate federal and state authorities, consistent with 45 C.F.R. § 164.502(j)(1).
2.4 Data Aggregation. Except as otherwise limited in this BAA, Neolth may use PHI to provide Data Aggregation services as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B).
2.5 De-identified Data. Neolth may de-identify PHI in accordance with the standards set forth in 45 C.F.R. § 164.514(b) and may use or disclose such de-identified data for any purpose.
3 OBLIGATIONS OF NEOLTH
3.1 Appropriate Safeguards. Neolth shall use appropriate safeguards and shall comply with the Security Rule with respect to Electronic PHI, to prevent use or disclosure of such information other than as provided for by the Terms and this BAA.
3.2 Reporting of Improper Use or Disclosure, Security Incident or Breach. Neolth shall report to Covered Entity any use or disclosure of PHI not permitted under this BAA, including any Breach of Unsecured PHI or Security Incident, without unreasonable delay, and in any event no more than five (5) business days following discovery; provided, however, that the Parties acknowledge and agree that this Section constitutes notice by Neolth to Covered Entity of the ongoing existence and occurrence of Unsuccessful Security Incidents.
3.3 Subcontractors. In accordance with 45 C.F.R. § 164.502(e)(1)(ii) and 45 C.F.R. § 164.308(b)(2), as applicable, Neolth shall enter into a written agreement any subcontractor that creates, receives, maintains, or transmits PHI on behalf of Neolth for services provided to Covered Entity, providing that the subcontractor agrees to restrictions and conditions at least as stringent as those found in this BAA, and agrees to implement reasonable and appropriate safeguards to protect PHI.
3.4 Access to PHI. To the extent Neolth has PHI contained in a Designated Record Set, Neolth agrees to make information available to Covered Entity pursuant to 45 C.F.R. § 164.524, to respond to an Individual’s request to Covered Entity to review or copy the Individual’s PHI; provided, however, that Neolth is not required to provide such access where the PHI contained in a Designated Record Set is duplicative of the PHI contained in a Designated Record Set possessed by Covered Entity. If an Individual makes a request for access pursuant to 45 C.F.R. § 164.524 directly to Neolth, or inquires about his or her right to access, Neolth shall either forward such request to Covered Entity or direct the Individual to Covered Entity.
3.5 Amendment of PHI. To the extent Neolth has PHI contained in a Designated Record Set, Neolth agrees to make such information available to Covered Entity for amendment pursuant to 45 C.F.R. § 164.526. If an Individual submits a written request for amendment pursuant to 45 C.F.R. § 164.526 directly to Neolth, or inquires about his or her right to amendment, Neolth shall either forward such request to Covered Entity or direct the Individual to Covered Entity.
3.6 Documentation of Disclosures. Neolth agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528.
3.7 Accounting of Disclosures. Neolth agrees to provide to Covered Entity, upon receipt of a written request from Covered Entity, information collected in accordance with Section 3.6 of this BAA to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528. If an Individual submits a written request for an accounting of disclosures of PHI pursuant to 45 C.F.R. § 164.528 directly to Neolth, or inquires about his or her right to an accounting of disclosures of PHI, Neolth shall direct the Individual to Covered Entity.
3.8 Governmental Access to Records. Neolth shall make its internal practices, books and records relating to the use and disclosure of PHI received from, or created or received by Neolth on behalf of, Covered Entity available to the Secretary for purposes of the Secretary determining Covered Entity’s compliance with the Privacy Rule.
3.9 Mitigation. To the extent practicable, Neolth will reasonably cooperate with Covered Entity’s efforts to mitigate a harmful effect that is known to Neolth of a use or disclosure of PHI by Neolth that is not permitted by this BAA.
3.10 Minimum Necessary. Neolth shall request, use and disclose the minimum amount of PHI necessary to accomplish the purpose of the request, use or disclosure, in accordance with 45 C.F.R. § 164.514(d), and any amendments thereto.
4 OBLIGATIONS OF COVERED ENTITY
4.1 Appropriate Use by Covered Entity. Covered Entity is responsible for implementing appropriate privacy and security safeguards in order to protect its PHI in compliance with HIPAA and this BAA.
4.2 Notice of Privacy Practices. Covered Entity shall notify Neolth of any limitation(s) in an applicable notice of privacy practices in accordance with 45 C.F.R. § 164.520, to the extent that such limitation may affect Neolth’s use or disclosure of PHI.
4.3 Notification of Changes Regarding Individual Permission. Covered Entity shall obtain any consent or authorization that may be required by the Privacy Rule, or applicable state law, prior to furnishing Neolth with PHI. Covered Entity shall notify Neolth of any changes in, or revocation of, permission by an Individual to use or disclose PHI, to the extent that such changes may affect Neolth’s use or disclosure of PHI.
4.4 Notification of Restrictions to Use or Disclosure of PHI. Covered Entity shall notify Neolth of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 C.F.R. § 164.522, to the extent that such restriction may affect Neolth’s use or disclosure of PHI.
4.5 Permissible Requests by Covered Entity. Covered Entity shall not request Neolth to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity, except as permitted pursuant to the provisions of Sections 2.2, 2.3 and 2.4 of this BAA.
5 TERM AND TERMINATION
5.1 Term. The term of this BAA shall commence as of the BAA Effective Date, and shall terminate when all of the PHI provided by Covered Entity to Neolth, or created or received by Neolth on behalf of Covered Entity, is destroyed or returned to Covered Entity. If it is infeasible to return or destroy PHI, Neolth shall extend protections to such information in accordance with Section 5.3.
5.2 Termination for Cause. Upon either Party’s knowledge of a material breach by the other Party of this BAA, such Party may terminate this BAA immediately if cure is not possible. Otherwise, the non-breaching Party shall provide written notice to the breaching Party detailing the nature of the breach and providing an opportunity to cure the breach within thirty (30) business days. Upon the expiration of such thirty (30) day cure period, the non-breaching Party may terminate this BAA if the breaching Party does not cure the breach or if cure is not possible.
5.3 Effect of Termination.
5.3.1 Except as provided in Section 5.3.2, upon termination of your Account or this BAA for any reason, Neolth shall return or destroy all PHI received from Covered Entity, or created or received by Neolth on behalf of Covered Entity, and shall retain no copies of the PHI.
5.3.2 If it is infeasible for Neolth to return or destroy the PHI upon termination of your Account or this BAA, Neolth shall: (a) extend the protections of this BAA to such PHI and (b) limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Neolth maintains such PHI.
6 SURVIVAL
6.1 The respective rights and obligations of Neolth under Section 5.3 of this BAA shall survive the termination of this BAA and your Account.
7 AMENDMENT
7.1 If any relevant provision of the HIPAA Rules is amended in a manner that changes the obligations of Neolth or Covered Entity that are embodied in terms of this BAA, then the Parties agree to negotiate in good faith appropriate non-financial terms or amendments to this BAA to give effect to such revised obligations.
8 EFFECT OF BAA
8.1 In the event of any inconsistency between the provisions of this BAA and the Terms, the provisions of this BAA shall control. In the event that a court or regulatory agency with authority over Neolth or Covered Entity interprets the mandatory provisions of the HIPAA Rules, in a way that is inconsistent with the provisions of this BAA, such interpretation shall control. Where provisions of this BAA are different from those mandated in the HIPAA Rules, but are nonetheless permitted by such rules as interpreted by courts or agencies, the provisions of this BAA shall control.
9 GENERAL
9.1 This BAA is governed by, and shall be construed in accordance with, the laws of the State that govern the Terms. Any action relating to this BAA must be commenced within one (1) year after the date upon which the cause of action accrued. Covered Entity shall not assign this BAA without the prior written consent of Neolth, which shall not be unreasonably withheld. If any part of a provision of this BAA is found illegal or unenforceable, it shall be enforced to the maximum extent permissible, and the legality and enforceability of the remainder of that provision and all other provisions of this BAA shall not be affected. Nothing in this BAA shall confer any right, remedy, or obligation upon anyone other than Covered Entity and Neolth. This BAA is the complete and exclusive agreement between the Parties with respect to the subject matter hereof, superseding and replacing all prior agreements, communications, and understandings (written and oral) regarding its subject matter.
10 INDEPENDENT CONTRACTOR
10.1 Neolth will be considered, for all purposes, an independent contractor, and Neolth will not, directly or indirectly, act as agent, servant or employee of Covered Entity or make any commitments or incur any liabilities on behalf of Covered Entity without its express written consent. Nothing in this BAA shall be deemed to create an employment, principal-agent or partner relationship between the Parties. Neolth shall retain sole and absolute discretion in the manner and means of carrying out its activities and responsibilities under this BAA.