Business Associate Agreement
Last Revised: Friday, July 12, 2020
Pursuant to the Term of Service (“Term of Service” that can be found on here), this Business Associate Agreement (“Agreement”) is entered into as of the Effective Date at the time you start to obtain Preworkscreen services (collectively “Services” or “Preworkscreen Services”)between Covered Entity (“Covered Entity”, “you”)and Business Associate. Business Associate provides services for or on behalf of Covered Entity that may involve creation, maintenance, use, transmission or disclosure of protected health information within the meaning of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), and its implementing regulations, 45 CFR Parts 160 and 164 (“HIPAA Rules”).
This Agreement supplements the Terms of Service (including the Security and Privacy that can be found here) and is intended to and shall be interpreted to satisfy the requirements for business associate agreements as set forth in the HIPAA Rules as they shall be amended. Business Associate understands and acknowledges that Business Associate is subject to the HIPAA Rules, and that the violation of the HIPAA Rules carry the penalties as described in 45 CFR §160.404.
1. Definitions
1.1 Catch-all definition
This agreement shall follow the term definition in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Protected Health Information, Required By Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use.
1.2 Specific definitions
Some specific term definitions in this Agreement are:
- Business Associate. “Business Associate” shall generally have the same meaning as the term “business associate” at 45 CFR 160.103, and in reference to the party to this agreement, shall mean InfoBeyond Technology LLC (“InfoBeyond”, “we”, “us”)
- Covered Entity. “Covered Entity” shall generally have the same meaning as the term “covered entity” at 45 CFR 160.103, and in reference to the party to this agreement, shall mean any individual, entity, or organization who subscribes Preworkscreen Services.
- PHI shall have the same meaning as the term “Protected Health Information” at 45 CFR §160.103, and includes any individually identifiable information that is generated, transmitted, received, processed, or stored by Business Associate on behalf of Covered Entity that relates to an individual’s past, present or future physical or mental health, health care or payment for health care, whether in oral, hard copy, electronic or any other form or medium.
- HIPAA Rules. “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.
- All terms used but not otherwise defined in this Agreement shall be defined as set forth in 45 C.F.R. Part 160 and Part 164, Subparts A, C, D, and E, and Term of Service as they shall be amended.
2. PARTIES AND RELATIONSHIPS
Business Associate is and at all times during this Agreement shall be designated as the Preworkscreen service provider through the website https://preworkscreen.com/ and as more fully described on the website to Covered Entity. You shall have the full authority for the registered organization to receive the Preworkscreen services in the name of the Covered Entity. Covered Entity shall not have authority to control the method or manner in which Business Associate performs its services on behalf of Covered Entity, provided that Business Associate complies with the terms of this Agreement and the HIPAA Rules. Business Associate shall not have authority to bind Covered Entity to any liability unless expressly authorized by Covered Entity in writing, and Covered Entity shall not be liable for the acts or omissions of Business Associate. Business Associate shall not represent itself as the agent of Covered Entity. Nothing in this Agreement shall be deemed to establish an agency, a contractor, partnership, joint venture or other relationship except that of independently contracting entities.
3. BUSINESS ASSOCIATE RESPONSIBILITIES ON SERVICES
For providing the services to Cover Entity, business associate agrees to:
- 3.1 Collect, compute, store and process PHI in order to provide Preworkscreen services or the information necessary to accomplish these subscribed services.
- 3.2 Properly protect PHI in full compliance with the HIPAA Rules applicable to Business Associate.
- 3.3 Properly maintain PHI confidentiality without disclosing them to other parities except as permitted by this Agreement or as otherwise it is required by law. PHI will not be shared with governmental agencies unless legally compelled, for example by a court order, in which case we will inform you immediately.
- 3.4 Take measurements to protect PHI to prevent them from use or disclosure, other than as permitted by this Agreement or otherwise it is required by law. Business associate shall comply with the requirements in 45 CFR Part 164, Subpart C applicable to business associate, including administration, monitoring, access control, security policies, safeguards, and security technology to protect the PHI. If Business associate performs the service relevant activities related to Covered Entity’s covered accounts as defined in 16 C.F.R. §681.1, business associate shall implement and comply with reasonable measurements to identify, prevent, and mitigate any instance of identity thefts relating to the covered accounts.
- 3.5 Immediately report to Covered Entity’s designated representative in the event that PHI breach occurs that results in PHI use or disclosure not permitted by this Agreement or the HIPAA Rules of which Business Associate becomes aware, including the report of unsecured PHI as required by 45 CFR §164.410, and the report of security incidents as required by 45 CFR §164.314(e)(2)(i)(C). If Business Associate performs activities related to Covered Entity’s covered accounts as defined in 16 C.F.R. §681.1, Business Associate shall report to Covered Entity any PHI theft instances involving a Covered Entity covered account on the services. Business Associate shall report the information necessary for Covered Entity to investigate the incident in compliance with the Covered Entity’s obligations under applicable law.
- 3.6 Take actions, to the extent practicable, to mitigate any negative impacts caused by a PHI breach incident.
- 3.7 Fully and timely collaborate with Covered Entity to investigate, mitigate, and notify third parties of data breaches of unsecured PHI as required by the HIPAA Rules.
- 3.8 Take measures to ensure any subcontractor on behalf of business associate that receive, transmit, store, and maintain PHI to agree with the same conditions, obligations, restrictions, and requirements set forth in this Agreement and the HIPAA Rules applicable to such party. Business associate shall fulfill this requirement by executing a written agreement with any of these parties that incorporates the terms of this Agreement and otherwise complying with the requirements in 45 CFR §§164.502(e)(1)(ii), 164.502(e)(2) and 164.308(b)(2),(3).
- 3.9 Execute a designated record to the extent set on behalf of Covered Entity and make the available PHI in a designated record set to Covered Entity, within 10 days of request, to satisfy Covered Entity’s obligations under 45 CFR §164.524. Business associate will promptly forward the request to Covered Entity after the reception of a direct request from an individual of the Covered Entity.
- 3.10 Manage a record to the extent set on behalf of Covered Entity to make any amendment(s) to PHI in a designated record set within 10 days of request, as directed or agreed to by Covered Entity pursuant to 45 CFR §164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 CFR §164.526.
- 3.11 Provide an accounting of disclosures to Covered Entity for the information required, within 10 days of request, to satisfy Covered Entity’s obligations under 45 CFR §164.528 applicable to business associate.
- 3.12 Conduct the Covered Entity’s obligations to the extent under 45 CFR Part 164, Subpart E that apply to Covered Entity in the performing such obligations.
- 3.13 Conduct internal practices and records to reviews the services in compliance with the HIPAA Rules.
4. PERMISSIBLE USES AND DISCLOSURES
- 4.1 Business associate may use or disclose PHI only as follows:
- 4.1.1 As necessary or required to perform the Preworkscreen services set forth in the Terms of Service.
- 4.1.2 As authorized, to de-identify PHI in accordance with 45 CFR §164.514(a)-(c), such as statistics.
- 4.1.3 As required by law.
- 4.1.4 Business associate may not use or disclose PHI in a manner that would violate 45 CFR Part 164, Subpart E, if done by Covered Entity.
- 4.1.5 Business associate agrees to use or disclose the minimum amount of PHI necessary for a permitted purpose pursuant to this Section 4, Covered Entity’s policies and procedures, and 45 CFR §164.502(b).
- 4.2 Other Use and Disclosure
- 4.2.1 Except as limited in the Terms of Service, Business associate may use PHI for proper management, maintenance, tests, and administration to carry out the business associate’s services and legal responsibilities.
- 4.2.2 Except as limited in the Terms of Service, Business Associate may use PHI for proper management, maintenance, tests, and administration to carry out the services and legal responsibilities, provided that any disclosures for these purposes:
- Required by law,
- Business associate obtains reasonable assurances from the person to whom the PHI is disclosed that the PHI will remain confidential and used or further disclosed only as required by law or for the purposes for which it was disclosed, and
- The person who notifies business associate of any instances of which the PHI confidentiality has been breached.
- 4.2.3 Except as limited in the Terms of Service, business associate may use PHI to provide data statistics and aggregation services relating to the health care operations of Covered Entity as defined in 45 CFR §164.501.
5. TERM AND TERMINATION
Unless otherwise mutually agreed to in writing by the parties, this Agreement shall be effective as of the Effective Date and shall be continued until the termination as provided below.
5.1 Termination
This Agreement shall be terminated on the same date the Terms of Service is terminated for any reason. In addition, this Agreement may be terminated earlier as follows:
- 5.1.1 Covered Entity may terminate this Agreement upon thirty (30) days prior notice in writing if Covered Entity determines that Business Associate or any subcontractor has violated the HIPAA Rules, a material term of this Agreement, or otherwise engaged in conduct that may compromise PHI. Subject to Section 5.1.2, Business Associate shall have the opportunity to cure the breach or violation within the 30-day notice period. If Business Associate fails to cure the breach or violation within the 30-day notice period, Covered Entity may terminate this Agreement.
- 5.1.2 Notwithstanding Section 6.1.1, Covered Entity may terminate this Agreement immediately if Business Associate or any subcontractor engages in any conduct that Covered Entity reasonably believes may result in adverse action against Covered Entity by any governmental agency or third party.
5.2 Termination of Terms of Service
Notwithstanding anything in the Terms of Service to the contrary, Covered Entity shall have the right to terminate the Terms of Service immediately if Business Associate’s PHI generation, transmission, storing, maintenance or disclosure is a material purpose of the Terms of Service and this Agreement is terminated for any reason.
5.3 Obligations of Business Associate upon Termination
Upon termination of this Agreement for any reason, Business Associate shall, with respect to PHI received from Covered Entity, or created, maintained, used or received by Business Associate on behalf of Covered Entity:
- 5.3.1 If feasible, return all PHI to Covered Entity at Covered Entity’s sole expense, or, if Covered Entity agrees, destroy such PHI.
- 5.3.2 If the return or destruction of PHI is not feasible, continue to extend the protections of this Agreement and the HIPAA Rules to such PHI and not use or further disclose the PHI in a manner that is not permitted by this Agreement or the HIPAA Rules.
- 5.3.2 If the return or destruction of PHI is not feasible, continue to extend the protections of this Agreement and the HIPAA Rules to such PHI and not use or further disclose the PHI in a manner that is not permitted by this Agreement or the HIPAA Rules.
5.4 Business Associate's obligations under this Section 5 shall survive termination of this Agreement
6. REGULATORY REFERENCES
A reference in this Agreement to a section in the HITECH Act or HIPAA Rules means the section as in effect or as amended.
7. AMENDMENT
The parties agree to take such action as is necessary to amend this Agreement from time to time to comply with the requirements of the HITECH Act, HIPAA Rules, the FTC Identity Theft “Red Flag” Rules and any other applicable laws and regulations.
8. INTERPRETATION
Any ambiguity in this Agreement shall be interpreted to permit compliance with the HITECH Act, HIPAA Rules and other applicable law.
9. GOVERNING LAW
This Agreement shall be construed broadly to implement and comply with the requirements of the HIPAA Rules and Regulations, and any ambiguity in this Agreement shall be interpreted to permit compliance with the HIPAA Rules. All other aspects of this Agreement shall be governed under the laws of the State of Kentucky and venue for any actions relating to this Agreement shall be in Jefferson County, Kentucky.
10. ASSIGNMENT/SUBCONTRACTING
This Agreement shall inure to the benefit of and be binding upon the parties and their respective legal representatives, successors and assigns. Business Associate may assign or subcontract rights or obligations under this Agreement to subcontractors or third parties without the express written consent of Covered Entity provided that Business Associate complies with Section 3.9, above. Covered Entity may assign its rights and obligations under this Agreement to any successor or affiliated entity.
11. COOPERATION
The parties agree to fully cooperate with each other to comply with the requirements of the HITECH Act, the HIPAA Rules, the FTC Identity Theft Rules and other applicable laws; to assist each other in responding to and mitigating the effects of any PHI breach in violation of the HIPAA Rules or this Agreement; and to assist the other party in response to any investigation, complaint, mitigate, or action by any government agency or third party relating to the performance of this Agreement. In addition, Business Associate shall make its officers, members, employees and agents available without charge for interview or testimony.
12. RELATION TO TERMS OF SERVICE
This Agreement supplements the Terms of Service. The terms and conditions of the Terms of Service shall continue to apply to the extent not inconsistent with this Agreement. If there is a conflict between this Agreement and the Terms of Service, this Agreement shall control.
13. NO THIRD PARTY BENEFICIARIES
Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any reason other than Covered Entity and Business Associate and their respective successors or assigns, any rights, remedies, obligations, or liabilities whatsoever.
14. ENTIRE AGREEMENT
This Agreement contains the entire agreement between the parties as it relates to the use or disclosure of PHI, and supersedes all prior discussions, negotiations and services relating to the same to the extent such other prior communications are inconsistent with this Agreement.
15. ENCRYPTION
Business Associate and its subcontractors, if applicable, shall employ adequate data and device (server, desktop, laptop, USB thumb drive, etc.) encryption to render Covered Entity’s PHI data unusable, unreadable or indecipherable to unauthorized individuals through the use of a technology or methodology tested by the National Institute of Standards and Technology and judged to meet the standard. Such protection shall also extend to any databases or collection of PHI containing the information derived from the PHI as well as to PHI backups and archives.