Date of Last Revision: October 4, 2021
This Business Associate Agreement (“Agreement”) is an addendum to the services agreement between the Parties (the “Underlying Agreement”) that includes a reference to where this Agreement is posted and is effective as of the effective date of the Underlying Agreement. This Agreement is entered into by and between Dataclay, LLC (“Dataclay”) as Business Associate subcontractor and the Dataclay company that is the other party to the Underlying Agreement (“Company”) which is acting as a Business Associate for one or more third party Covered Entities, as each of those terms are defined in the Health Insurance Portability and Accountability Act of 1996, as codified at 42 U.S.C. § 1320d (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act of 2009, as codified at 42 U.S.C. § 17901 et seq. (“HITECH Act”), and any applicable current and future regulations promulgated under HIPAA or the HITECH Act (HIPAA, HITECH Act and any applicable current and future regulations promulgated under either are referred to as the “Regulations”)
This Agreement sets forth the terms and conditions with respect to the handling of PHI pursuant to the HIPAA Standards for Privacy of Individually Identifiable Health Information, 45 C.F.R. Part 160 and Part 164, Subparts A and E (“Privacy Rule”), the HIPAA Security Standards, 45 C.F.R. Part 160 and Part 164, Subparts A and C (“Security Rule”), the HIPAA Breach Notification Regulations, 45 C.F.R. Part 164, Subpart D (“Breach Notification Rule”), and the HITECH Act, all as amended.
Capitalized terms used in this Agreement and not otherwise defined have the meanings set forth in the Privacy Rule, Security Rule, and the Breach Notification Rule, which definitions are incorporated in this Agreement by reference.
“Electronic Protected Health Information” or “Electronic PHI” has the meaning given under the Privacy Rule and the Security Rule, including, but not limited to, 45 C.F.R. § 160.103, as applied to the Electronic PHI that Dataclay creates, receives, maintains, or transmits from or on behalf of Company.
“Protected Health Information” or “PHI” has the same meaning as the term “protected health information” in 45 C.F.R. § 160.103, as applied to the PHI created, received, maintained, or transmitted by Dataclay from or on behalf of Company.
Company will notify Dataclay 15 business days, if practicable, prior to the effective date of: (a) any limitations in its notice of privacy practices in accordance with 45 C.F.R. § 164.520; (b) any changes in, or revocation of, permission by an Individual to Use or Disclose PHI; or (c) any restriction to the Use or Disclosure of PHI that Company has agreed to in accordance with 45 C.F.R. § 164.522. Company will make a notification to the extent that the limitation, restriction, or change may affect Dataclay’s Use or Disclosure of PHI in connection with the Services, and, with respect to those changes described in (b) and (c), Company will take all necessary measures to ensure that Dataclay will not receive any PHI following the date of any changes in or revocation of permission described in (b) or any restriction described in (c) and will assume any associated liabilities.
In the event of a Breach caused solely by Dataclay or its employees or subcontractors and notice to Individuals is required pursuant to the Breach Notification Rule, Dataclay agrees to reimburse Company for the reasonable and substantiated costs related to the following: providing notifications to affected individuals, the media, or the Secretary, providing credit monitoring services to the affected individuals, if appropriate, for up to one (1) year, any fines and penalties assessed against Company directly attributable to a Breach by Dataclay or its employees or subcontractors, investigation costs, and mitigation efforts required under the Privacy Rule or Security Rule.
Each party will cooperate in good faith with the other party in connection with any request by a federal or state governmental authority for additional information and documents or any governmental investigation, complaint, action or other inquiry.
The parties are required to comply with federal and state laws regarding the protection of PHI as defined by HIPAA. If this Agreement must be amended to secure such compliance, the parties will meet in good faith to agree upon non-financial terms to amend this Agreement.