This Business Associate Agreement (“Agreement”) amends and is made part of those certain Terms of Service, and any additional agreements by and between Customer (“Covered Entity”) and Lightning Step Technologies, LLC (“Business Associate”) in which Lightning Step creates or receives Protected Health Information (as defined below) to provide services to Customer (collectively “Service Agreement”).
Covered Entity and Business Associate agree that the parties incorporate this Agreement into the Service Agreement in order to comply with the requirements of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act (“HITECH”), and their implementing regulations set forth at 45 C.F.R. Parts 160 and Part 164 (the “HIPAA Rules”); and the federal regulations governing Confidentiality of Substance Use Disorder Patient Records, 42 C.F.R. Part 2 (the “Part 2 Regulations”). To the extent Business Associate is acting as a Business Associate of Covered Entity pursuant to the Service Agreement, the provisions of this Agreement shall apply.
1. Definitions. Capitalized terms not otherwise defined in this Agreement or the Service Agreement shall have the meaning set forth in the HIPAA Rules and/or the Part 2 Regulations. References to “PHI” mean Protected Health Information maintained, created, received, or transmitted by Business Associate in its capacity as a Business Associate of Covered Entity.
2. Uses or Disclosures. Business Associate will neither use nor disclose PHI except as permitted or required by this Agreement or as Required By Law. To the extent Business Associate is to carry out an obligation of a Covered Entity under 45 C.F.R. Part 164, Subpart E, Business Associate shall comply with the requirements of 45 C.F.R. Part 164, Subpart E that apply to such Covered Entity in the performance of such obligation. Business Associate is permitted to use and disclose PHI:
(a) to perform any and all obligations of Business Associate pursuant to the Service Agreement, including as necessary disclosing PHI to other business associates of Covered Entity and using PHI received from other business associates of Covered Entity, provided any such use or disclosure would not violate the HIPAA Rules or the Part 2 Regulations, if done by Covered Entity directly;
(b) as otherwise permitted by law, provided that such use or disclosure would not violate the HIPAA Rules or the Part 2 Regulations, if done by Covered Entity directly and provided that Covered Entity gives its prior written consent;
(c) to perform Data Aggregation services relating to Covered Entity’s health care operations;
(d) to report violations of the law to federal or state authorities consistent with 45 C.F.R. § 164.502(j)(1);
(e) as necessary for Business Associate’s proper management and administration and to carry out Business Associate’s legal responsibilities, provided that Business Associate may only disclose PHI for such purposes if the disclosure is Required By Law or Business Associate obtains reasonable assurance, evidenced by a written contract, from the recipient that the recipient: (1) will hold such PHI in confidence and use or further disclose it only for the purpose for which it was disclosed or as Required By Law; (2) will notify Business Associate of any instance of which the recipient becomes aware in which the confidentiality of such PHI was breached; and (3) acknowledges in writing that, in receiving PHI, the recipient is fully bound by the Part 2 Regulations and must agree to, if necessary, resist in judicial proceedings any efforts to obtain access to PHI except as permitted by the Part 2 Regulations.
(f) to create de-identified information in accordance with 45 C.F.R. §164.514(b), provided that such de-identified information may be used and disclosed only consistent with applicable law;
In the event Covered Entity notifies Business Associate of an Individual’s restriction request granted pursuant to 45 C.F.R. §164.522 that would restrict a use or disclosure otherwise permitted by this Section, Business Associate shall comply with the terms of the restriction request.
3. Safeguards. Business Associate will use appropriate administrative, technical and physical safeguards to prevent the use or disclosure of PHI other than as permitted by this Agreement. Business Associate will also comply with the applicable provisions of 45 C.F.R. Part 164, Subpart C with respect to electronic PHI to prevent any use or disclosure of such information other than as provided by this Agreement.
4. Subcontractors. In accordance with 45 C.F.R. §§164.308(b)(2) and 164.502(e)(1)(ii), Business Associate will ensure that all of its Subcontractors that create, receive, maintain or transmit PHI on behalf of Business Associate agree by written contract to comply with the same restrictions and conditions that apply to Business Associate with respect to such PHI, including but not limited to the obligation to comply with applicable provisions of 45 C.F.R. Part 164, Subpart C, and acknowledge in writing that, in receiving PHI to the extent such information is governed by the Part 2 Regulations, the recipient is fully bound by the Part 2 Regulations, and must agree to, if necessary, resist in judicial proceedings any efforts to obtain access to PHI except as permitted by the Part 2 Regulations.
5. Minimum Necessary. Business Associate will limit its uses and disclosures of, and requests for, PHI (i) when practical, to the information making up a Limited Data Set; and (ii) in all other cases subject to the requirements of 45 C.F.R. § 164.502(b), to the minimum amount of PHI necessary to accomplish the intended purpose of the use, disclosure or request.
6. Covered Entity Obligations. Covered Entity shall notify Business Associate of (i) any limitations in its notice of privacy practices, (ii) any changes in, or revocation of, permission by an Individual to use or disclose PHI, and (iii) any confidential communication request or restriction on the use or disclosure of PHI that Covered Entity has agreed to or with which Covered Entity is required to comply, to the extent any of the foregoing affect Business Associate’s use or disclosure of PHI. Covered Entity shall not request Business Associate to use or disclose PHI in a manner not permitted by the HIPAA Rules or other applicable law, shall obtain all permissions or authorizations, if any, required to disclose PHI to Business Associate in order for Business Associate to perform its obligations under the Service Agreement, and only disclose to Business Associate the minimum Protected Health Information necessary to allow Business Associate to perform its obligations under the Service Agreement.
7. Access and Amendment. In accordance with 45 C.F.R. § 164.524, Business Associate shall permit Covered Entity or an Individual (or the Individual’s designee) to inspect and obtain copies of any PHI about the Individual that is in Business Associate’s custody or control in a Designated Record Set. If the requested PHI is maintained electronically, Business Associate must provide a copy of the PHI in the electronic form and format requested by the individual, if it is readily producible, or, if not, in a readable electronic form and format as agreed to by Business Associate, Covered Entity and the Individual. Business Associate will, upon receipt of notice from Covered Entity, promptly amend or permit Covered Entity access to amend PHI held in a Designated Record Set by Business Associate so that Covered Entity may meet its amendment obligations under 45 C.F.R. § 164.526.
8. Accounting. Except for disclosures excluded from the accounting obligation by the HIPAA Rules, Business Associate will record for each disclosure that Business Associate makes of PHI the information necessary for Covered Entity to make an accounting of disclosures pursuant to the HIPAA Rules. In the event the U.S. Department of Health and Human Services (“HHS”) finalizes regulations requiring Covered Entities to provide access reports, Business Associate shall also record such information with respect to electronic PHI held by Business Associate as would be required under the regulations for Covered Entities beginning on the required compliance date of such regulations. Business Associate will make information required to be recorded pursuant to this Section available to Covered Entity promptly upon Covered Entity’s request for the period requested, but for no longer than required by the HIPAA Rules (except Business Associate need not have any information for disclosures occurring before the effective date of this Agreement).
9. Books and Records. Business Associate will make its internal practices, books, and records, relating to its use and disclosure of PHI, available upon request to HHS to determine compliance with the HIPAA Rules.
10. Reporting. To the extent Business Associate becomes aware or discovers any use or disclosure of PHI not permitted by this Agreement, any Security Incident involving electronic PHI or any Breach of Unsecured Protected Health Information involving PHI, Business Associate shall promptly report such use, disclosure, Security Incident or Breach to Covered Entity. Notwithstanding the foregoing, the parties acknowledge and agree that this Section constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below) for which no additional notice to Covered Entity shall be required. “Unsuccessful Security Incidents” means pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of electronic PHI. All reports of Breaches shall be made in compliance with 45 C.F.R. § 164.410.
11. Term and Termination. This Agreement shall be effective as of the Effective Date and shall remain in effect until termination of the Service Agreement. Either party may terminate this Agreement and the Service Agreement effective immediately if it determines that the other party has breached a material provision of this Agreement and failed to cure such breach within thirty (30) days of being notified by the other party of the breach. If the non-breaching party determines that cure is not possible, such party may terminate this Agreement and the Service Agreement effective immediately upon written notice to other party.
Upon termination of this Agreement for any reason, Business Associate will, if feasible, return to Covered Entity or destroy all PHI maintained by Business Associate in any form or medium, including all copies of such PHI. Further, Business Associate shall recover any PHI in the possession of its Subcontractors and return to Covered Entity or securely destroy all such PHI. In the event that Business Associate determines that returning or destroying any PHI is infeasible, Business Associate may maintain such PHI but shall continue to abide by the terms and conditions of this Agreement with respect to such PHI and shall limit its further use or disclosure of such PHI to those purposes that make return or destruction of the PHI infeasible. All of Business Associate’s obligations under this Agreement shall survive termination and remain in effect (a) until Business Associate has completed the return or destruction of PHI as required by this Section and (b) to the extent Business Associate retains any PHI pursuant to this Section.
12. Confidentiality of Substance Use Disorder Patient Records. To the extent Business Associate receives information covered by the Part 2 Regulations, Business Associate: (1) acknowledges that in receiving, storing, processing or otherwise dealing with any information from Covered Entity about individuals who are patients of Covered Entity (“Patients”), it is fully bound by the provisions of the Part 2 Regulations; and (2) undertakes to resist in judicial proceedings any effort to obtain access to information pertaining to Patients otherwise than as expressly provided for in the Part 2 Regulations.
13. Miscellaneous.
(a) This Agreement shall be governed by, and construed in accordance with, the laws of the State of Texas without regard to its conflicts of law provisions.
(b) In the event that any final regulation or amendment to final regulations is promulgated by HHS or other government regulatory authority with respect to PHI, the parties shall negotiate in good faith to amend this Agreement to remain in compliance with such regulations. Any ambiguity in this Agreement shall be resolved to permit the parties to comply with the HIPAA Rules.
(c) Nothing in this Agreement shall be construed to create any rights or remedies in any third parties or any agency relationship between the parties.
(d) A reference in this Agreement to a section in the HIPAA Rules means the section as in effect or as amended.
(e) The terms and conditions of this Agreement override and control any conflicting term or condition of the Service Agreement and replace and supersede any prior business associate agreements in place between the parties. All non-conflicting terms and conditions of the Service Agreement remain in full force and effect. Notwithstanding the foregoing, this Agreement shall be subject to any limitation of liability specified in the Service Agreement.