MedMe Health Limited (“Business Associate”) and the Covered Entity (collectively the “Parties”)
hereby enter into this Business Associate Agreement (the “BAA”) pursuant to the terms and
conditions set forth below. The terms of this BAA are incorporated by reference into the
Software-as-a-Service Agreement located at
[https://www.medmehealth.com/saas-agreement]
and accepted by the Covered Entity as defined and designated therein. In this BAA, Covered Entity
and Business Associate are each a “Party” and, collectively, are the “Parties”.
BACKGROUND
I. Covered Entity is either a “covered entity” or “business associate” of a
covered entity as each are defined under the Health Insurance Portability and Accountability Act
of 1986, Public Law 104-191, as amended by the HITECH ACT (as defined below) and the related
regulations promulgated by HHS (as defined below) (collectively, “HIPAA”) and, as such, is
required to comply with HIPAA’s provisions regarding the confidentiality and privacy of Protected
Health Information (as defined below);
II. The Parties have entered into or will enter into one or more agreements under
which Business Associate provides or will provide certain specified services to Covered Entity
(collectively, the “Agreement”);
III. In providing services pursuant to the Agreement, Business Associate will
have access to Protected Health Information;
IV. By providing the services pursuant to the Agreement, Business Associate will
become a “business associate” of the Covered Entity as such term is defined under HIPAA;
V. Both Parties are committed to complying with all federal and state laws
governing confidentiality and privacy of health information, including, but not limited to, the
Standards for Privacy of Individually Identifiable Health Information found at
45 CFR Part 160 and Part 164,
Subparts A and E (collectively, the “Privacy Rule”); and
VI. Both Parties intend to protect the privacy and provide for the security of
Protected Health Information disclosed to Business Associate pursuant to this Agreement, HIPAA
and other applicable laws.
AGREEMENT
NOW, THEREFORE, in consideration of the mutual and conditions contained herein and the continued
provision of PHI by Covered Entity to Business Associate under the Agreement in reliance on this
BAA, the Parties agree as follows:
-
1. Definitions. For the purposes of this BAA, the Parties
give the following meaning to each of the terms in this Section 1 below. Any capitalized term
used in this BAA, but otherwise defined, has the meaning given to that term in the Privacy Rule
or pertinent law.
- “Affiliate” means a subsidiary or affiliate of Covered Entity that is, or has been,
considered a covered entity, as defined by HIPAA.
- “Breach” means the acquisition, access, use, or disclosure of PHI in a manner not
permitted under the Privacy Rule which compromises the security or privacy of the PHI,
as defined in 45 CFR § 164.402.
- “Breach Notification Rule” means the portion of HIPAA set forth in Subpart D of
45 CFR Part 164.
- “Data Aggregation” means, with respect to PHI created or received by Business Associate
in its capacity as the “business associate” under HIPAA of Covered Entity, the combining
of such PHI by Business Associate with the PHI received by Business Associate in its
capacity as a business associate of one or more other “covered entity” under HIPAA, to
permit data analyses that relate to the Health Care Operations (defined below) of the
respective covered entities. The meaning of “data aggregation” in this BAA shall be
consistent with the meaning given to that term in the Privacy Rule.
- “Designated Record Set” has the meaning given to such term under the Privacy Rule
including 45 CFR § 164.501.B.
- “De-Identify” means to alter the PHI such that the resulting information meets the
requirements described in 45 CFR §§164.514(a) and (b).
- “Effective Date” refers to the date the Covered Entity accepts this BAA electronically
as part of the account registration process.
- “Electronic PHI” means any PHI maintained in or transmitted by electronic media as
defined in 45 CFR § 160.103
- “Health Care Operations” has the meaning given to that term in
45 CFR § 164.501.
- “HHS” means the U.S. Department of Health and Human Services.
- “HITECH Act” means the Health Information Technology for Economic and Clinical Act,
enacted as part of the American Recovery and Reinvestment Act of 2009, Public Law 111-005.
- “Individual” has the same meaning given to that term in 45 CFR §§164.501 and 160.130
and includes a person who qualifies as a personal representative in accordance with
45 CFR § 164.502(g).
- “Privacy Rule” means that portion of HIPAA set forth in 45 CFR Part 160 and Part 164,
Subparts A and E.
- “Protected Health Information” or “PHI” has the meaning given to the term “protected
health information” in 45 CFR §§164.501 and 160.103, limited to the information created
or received by Business Associate from or on behalf of the Covered Entity.
- “Security Incident” means the attempted or successful unauthorized access, use,
disclosure, modification, or destruction of information or interference with system
operations in an information system.
- “Security Rule” means the Security Standards for the Protection of Electronic Health
Information provided in 45 CFR Part 160 & Part 164, Subparts A and C.
- “Unsecured Protected Health Information” or “Unsecured PHI” means any “protected health
information” as defined in 45 CFR §§164.501 and 160.103 that is not rendered unusable,
unreadable, or indecipherable to unauthorized individuals through the use of a technology
or methodology specified by the HHS Secretary in the guidance issued pursuant to the
HITECH Act and codified at 42 USC § 17932(h).
-
2. Use and Disclosure of PHI.
-
Except as otherwise provided in this BAA, Business Associate may use or disclose PHI
as reasonably to provide the services described in the Agreement to Covered Entity, and
to undertake other activities of Business Associate permitted or required of Business
Associate by this BAA or as required by law.
-
Except as otherwise limited by this BAA or federal or state law, Covered Entity authorizes
Business Associate to use the PHI in its possession for the proper management and
administration of Business Associate’s business and to carry out its legal
responsibilities. Business Associate may disclose PHI for its proper management and
administration, provided that (i) the disclosures are by law; or (ii) Business Associate
obtains, in writing, prior to making any disclosure to a third party (a) reasonable
assurances from this third party that the PHI will be held confidential as provided under
this BAA and used or further disclosed only as required by law or for the purpose for
which it was disclosed to this third party and (b) an agreement from this third party to
notify Business Associate immediately of any breaches of the confidentiality of the PHI,
to the extent it has knowledge of the breach.
-
Business Associate may use de-identified data for research, product development, and
analytics, provided such use complies with HIPAA de-identification standards outlined
in 45 CFR § 164.514.
-
Business Associate will not use or disclose PHI in a manner other than as provided
in this BAA, as permitted under the Privacy Rule, or as required by law. Business
Associate will use or disclose PHI, to the extent practicable, as a limited data set or
limited to the minimum necessary amount of PHI to carry out the intended purpose of the
use or disclosure, in accordance with Section 13405(b) of the HITECH ACT (codified as
42 USC § 17935(b)) and any of the act’s implementing regulations adopted by HHS, for
each use or disclosure of PHI.
-
Covered Entity is responsible for ensuring that PHI shared with Business Associate
complies with all applicable laws and regulations. Business Associate shall not be
liable for unauthorized PHI disclosures resulting from Covered Entity’s actions,
omissions, or failure to implement appropriate safeguards.
-
Upon request, Business Associate will make available to Covered Entity any of Covered
Entity’s PHI that Business Associate or any of its agents or subcontractors have in
their possession.
-
Business Associate may use PHI to report violations of law to appropriate Federal and
State authorities, consistent with 45 CFR §164.502(d)(j)(1).
-
3. Safeguards Against Misuse of PHI.
Business Associate will use appropriate safeguards to prevent the use or disclosure of
PHI other than as provided by the Agreement or this BAA and Business Associate agrees
to implement administrative, physical, and technical safeguards that reasonably and
appropriately protect the confidentiality, integrity and availability of the Electronic
PHI that it creates, receives, maintains or transmits on behalf of Covered Entity.
Business Associate agrees to take reasonable steps, including providing adequate training
to its employees to ensure compliance with this BAA and to ensure that the actions or
omissions of its employees or agents do not cause Business Associate to breach the terms
of this BAA.
-
4. Reporting Disclosures of PHI and Security Incidents.
Business Associate will report to Covered Entity in writing any use or disclosure of PHI
not provided for by this BAA of which it becomes aware and Business Associate agrees to
report to Covered Entity any Security Incident affecting Electronic PHI of Covered Entity
of which it becomes aware. Business Associate agrees to report any such event within
60 calendar days becoming aware of the event.
-
5. Reporting Breaches of Unsecured PHI.
-
Business Associate will notify Covered Entity in writing promptly upon the discovery
of any Breach of Unsecured PHI in accordance with the requirements set forth in
45 CFR § 164.410, no later than
60 calendar days after the discovery of a Breach.
-
Business Associate is not responsible for breaches occurring due to actions
or omissions of Covered Entity, its employees, or third-party vendors, including but
not limited to external software providers, hosting services, and data processors
integrated by Covered Entity.
-
6. Mitigation of Disclosures of PHI.
Business Associate will take reasonable measures to mitigate, to the extent practicable,
any harmful effect that is known to Business Associate of any use or disclosure of PHI by
Business Associate or its agents or subcontractors in violation of the requirements of
this BAA.
-
7. Agreements with Agents or Subcontractors.
Business Associate will ensure that any of its agents or subcontractors that have access
to, or to which Business Associate provides, PHI agree to the same restriction and
conditions contained in this BAA concerning uses and disclosures of PHI and agree to
implement reasonable and appropriate safeguards to protect any Electronic PHI that it
creates, received, maintains or transmits on behalf of Business Associate or, through
the Business Associate, Covered Entity. Business Associate shall ensure that all
subcontracts and agreements provide the same level of privacy and security as this BAA.
-
8. Access to PHI by Individuals.
-
Upon request, Business Associate agrees to furnish Covered Entity with copies of the
PHI maintained by Business Associate in a Designated Record Set in the time and manner
designated by Covered Entity to enable Covered Entity to respond to an Individual’s
request for access to PHI under 45 CFR §164.524.
-
In the event any Individual or personal representative requests access to the
Individual’s PHI directly from Business Associate, Business Associate will forward
that request to Covered Entity. Any disclosure of, or decision not to disclose, the
PHI requested by an Individual or a personal representative and compliance with the
requirements applicable to an Individual’s right to obtain access to PHI shall be the
sole responsibility of Covered Entity.
-
9. Amendment of PHI.
A. Upon request and instruction from Covered Entity, Business Associate
will amend PHI or a record about an Individual in a Designated Record Set that is
maintained by, or otherwise within the possession of, Business Associate as directed by
Covered Entity in accordance with procedures established by 45 CFR §164.526.
B. In the event that any Individual requests that Business Associate amend
such Individual’s PHI or record in a Designated Record Set, Business Associate will forward
this request to Covered Entity. Any amendment of, or decision not to amend, the PHU or
record as requested by an Individual and compliance with the requirements applicable to
an Individual’s right to request an amendment of PHI will be the sole responsibility of
Covered Entity.
-
10. Accounting of Disclosures.
-
Business Associate will document any disclosures of PHI made by it to account for such
disclosures as required by 45 CFR §164.528(a).
Business Associate also will make available information related to such disclosures as
would be required for Covered Entity to respond to a request for an accounting of
disclosures in accordance with 45 CFR §164.528. At a minimum, Business Associate will
furnish Covered Entity the following with respect to any covered disclosures by Business
Associate: (i) the date of disclosure of PHI; (ii) the name of the entity or person who
received PHI, and, if known, the address of such entity or person; (iii) a brief
description of the PHI disclosed; and (iv) a brief statement of the purpose of the
disclosure which includes the basis for such disclosure.
-
Business Associate will furnish to Covered Entity information collected in accordance
with this Section 10 upon written request by Covered Entity, to permit Covered Entity
to make an accounting of disclosures as required by 45 CFR §164.528, or in the event
that Covered Entity elects to provide an Individual with a list of its business
associates, Business Associate will provide an accounting of its disclosures of PHI
upon request if the Individual, if and to the extent that such accounting is required
under the HITECH ACT or under HHS regulations adopted in connection with the HITECH ACT.
-
In the event an Individual delivers the initial request for an accounting directly to
Business Associate, Business Associate will forward such request to Covered Entity.
-
11. Availability of Books and Records.
Business Associate will make available its internal practices, books, agreements, records,
and policies and procedures relating to the use and disclosure of PHI, upon request, to the
Secretary of HHS for purposes of determining Covered Entity's and Business Associate's
compliance with HIPAA, and this BAA.
-
12. Responsibilities of Covered Entity. With regard to
the use and/or disclosure of Protected Health Information by Business Associate, Covered
Entity agrees to:
-
Notify Business Associate of any limitation(s) in its notice of privacy practices in
accordance with 45 CFR §164.520, to
the extent that such limitation may affect Business Associate’s use or disclosure of PHI.
-
Notify Business Associate of any changes in, or revocation of, permission by an
Individual to use or disclose Protected Health Information, to the extent that such
changes may affect Business Associate’s use or disclosure of PHI.
-
Notify Business Associate of any restriction to the use or disclosure of PHI that
Covered Entity has agreed to in accordance with 45 CFR §164.522,
to the extent that such restriction may affect Business Associate’s use or disclosure
of PHI.
-
Except for data aggregation or management and administrative activities of Business
Associate, Covered Entity shall not request Business Associate to use or disclose PHI
in any manner that would not be permissible under HIPAA if done by Covered Entity.
-
13. Term and Termination.
-
This Agreement shall be effective as of the Effective Date and for so long as the
Business Associate provides the Services to the Covered Entity.
-
If Business Associate determines that Covered Entity has breached a material term of
this BAA, then Business Associate will provide Covered Entity with written notice of
the existence of the breach and shall provide Covered Entity with 30 days to cure the
breach. Covered Entity’s failure to cure the breach within the 30-day period will be
grounds for immediate termination of the Agreement and this BAA by Business Associate.
Business Associate may report the breach to the HHS.
-
Covered Entity may terminate this BAA, the Agreement, and any other related agreements
if Covered Entity makes a determination that Business Associate has breached a material
term of this BAA and Business Associate has failed to cure that material breach, to
Covered Entity’s reasonable satisfaction, within 30 days after written notice from
Covered Entity. Covered Entity may report the problem to the Secretary of HHS if
termination is not feasible.
-
Upon termination of the Agreement or this BAA for any reason, all PHI maintained by
Business Associate will be returned to Covered Entity or destroyed by Business Associate.
Business Associate will not retain any copies of such information. This provision will
apply to PHI in the possession of Business Associate’s agents and subcontractors. If
return or destruction of the PHI is not feasible, in Business Associate’s reasonable
judgment, Business Associate will furnish Covered Entity with notification, in writing,
of the conditions that make return or destruction infeasible. Upon mutual agreement of
the Parties that return or destruction of the PHI is infeasible, Business Associate
will extend the protections of this BAA to such information for as long as Business
Associate retains such information and will limit further uses and disclosures to those
purposes that make the return or destruction of the information not feasible. The Parties
understand that this Section 15.D. will survive any termination of this BAA.
-
14. Effect of BAA.
-
This BAA is a part of and subject to the terms of the Agreement, except that to the
extent any terms of this BAA conflict with any term of the Agreement, the terms of
this BAA will govern.
-
Except as expressly stated in this BA or as provided by law, this BAA will not create
any rights in favor of any third party.
-
15. Regulatory References.
A reference in this BAA to a section in HIPAA means the section as in effect or as amended
at the time.
-
16. Interpretation. Any ambiguity in this BAA shall be
resolved in favor of a meaning that permits the Covered Entity to comply with the HIPAA
Rules.
-
17. Governing Law; Conflict. This BAA shall be enforced
and construed in accordance with the laws of the Province of Ontario.
In the event of a conflict between the terms of this BAA and the terms of any of the
Underlying Agreements, the terms of this BAA shall control.
-
18. Notices. All notices, requests and demands or other
communications to be given under this BAA to a Party to a Party will be made via electronic
mail to the Party’s email address provided below:
-
If to Covered Entity, to:
The email address provided during account registration. Covered Entity is responsible
for keeping its contact information updated.
-
If to Business Associate, to:
Email: legal@medmehealth.com
-
19. Amendments and Waiver. This BAA may not be modified,
nor will any provision be waived or amended, except in writing duly signed by authorized
representatives of the Parties. A waiver with respect to one event shall not be construed
as continuing, or as a bar to or waiver of any right or remedy as to subsequent events.
-
20. HITECH ACT Compliance. The Parties acknowledge that
the HITECH Act includes significant changes to the Privacy Rule and the Security Rule. The
privacy subtitle of the HITECH Act sets forth provisions that significantly change the
requirements for business associates and the agreements between business associates and
covered entities under HIPAA and these changes may be further clarified in forthcoming
regulations and guidance. Each Party agrees to comply with the applicable provisions of
the HITECH Act and any HHS regulations issued with respect to the HITECH Act. The Parties
also agree to negotiate in good faith to modify this BAA as reasonably necessary to comply
with the HITECH Act and its regulations as they become effective.
By checking the box indicating acceptance of this BAA during the account registration process,
the Covered Entity acknowledges and agrees to the terms of this Business Associate Agreement.
This acceptance constitutes a legally binding agreement under the Electronic Signatures in
Global and National Commerce Act (ESIGN Act) and applicable state laws governing electronic
contracts. No physical signature is required.