.avif)
Aloha Practice Management, Inc. (“AlohaABA”) is committed to compliance with the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act(HITECH). Below is our standard Business Associate Agreement (BAA), which outlines our privacy and security obligations when handling Protected Health Information (PHI) on behalf of Covered Entities. This document is provided for reference only. A fully executed version will be provided to customers upon onboarding or upon request at privacy@alohaaba.com.
HIPAA Business Associate Agreement
This sample Business Associate Agreement (“Agreement”) outlines the standard terms between a Covered Entity and Aloha Practice Management, Inc. (“Business Associate”). To ensure compliance by Covered Entity and Business Associate (when acting as a Business Associate) with HIPAA, the Parties agree as follows:
1.
Definitions. As used in the Agreement:
1.1.
“Electronic Protected Health Information” shall have the same meaning as the term “electronic protected health information” in 45 C.F.R. § 160.103.
1.2.
“HIPAA” means the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act, Public Law 104-191, and any amendments thereto.
1.3.
“HITECH Act” means Subtitle D of the Health Information Technology for Economic and Clinical Health Act, as incorporated in the American Recovery and Reinvestment Act of 2009 (42 U.S.C. §§ 17921 – 54).
1.4.
“Individual” shall have the same meaning as the term “individual” in 45 C.F.R. § 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. § 164.502(g).
1.5.
“Privacy Rule” means the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. Parts160 and 164, as they exist now or as they may be amended.
1.6.
“Protected Health Information” shall have the same meaning as the term “protected health information” in 45C.F.R. § 160.103, limited to the information created, received, maintained, or transmitted by Business Associate from, or on behalf of Covered Entity. Unless otherwise stated in the Agreement, any provision, restriction, or obligation in the Agreement related to the use of Protected Health Information shall apply equally to Electronic Protected Health Information.
1.7.
“Required by Law” shall have the same meaning as the term “required by law” in 45 C.F.R. § 164.103.
1.8.
“Secretary” shall have the same meaning as the term “secretary” in 45 C.F.R. § 160.103.
1.9.
“Security Standards” means the Security Standards at 45 C.F.R. Parts 160, 162, and 164, as they exist now or as they may be amended.
1.10.
“Services Agreement” means the agreement(s) between Business Associate and Covered Entity under which Business Associate provides certain services for or on behalf of Covered Entity that involve the use or disclosure of Protected Health Information.
1.11.
Terms used, but not otherwise defined, in the Agreement shall have the same meaning as those terms in 45C.F.R. §§ 160.103 and 164.501. If any citation referenced in the Agreement is changed due to an amendment of the applicable statute or regulation, the citation herein shall be deemed to be automatically amended to reflect the proper citation.
2.
Obligations and Activities of Business Associate.
2.1.
Business Associate agrees that it shall not, and that its directors, officers, employees, contractors and agents shall not, use or further disclose Protected Health Information other than as permitted or required by the Agreement or as Required by Law.
2.2.
Business Associate shall develop, implement, maintain and use appropriate safeguards to prevent the use or disclosure of Protected Health Information other than as provided for by the Agreement.
2.3.
Business Associate shall develop, implement, maintain and use appropriate administrative, technical and physical safeguards in compliance with the HITECH Act and applicable provisions of the Security Standards (including 45 C.F.R. §§ 164.308, 310, 312, 316 and 164.530(c)) and any other applicable implementing regulations issued by the U.S. Department of Health and Human Services, to reasonably and appropriately protect the integrity, confidentiality, and availability of and prevent non-permitted use or disclosure of Electronic Protected Health Information. Business Associate will develop and implement written policies and procedures for these safeguards and will keep them current.
2.4.
Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of the Agreement.
2.5.
Notification of Privacy or Security Breach.
2.5.1.
Breach Notification. Following discovery, Business Associate shall report, without unreasonable delay and in no event later than ten (10) business days after discovery, any “breach” of “unsecured Protected Health Information,” as these terms are defined in 45 C.F.R. §§ 164.402. Business Associate shall cooperate with Covered Entity in investigating the breach and in meeting Covered Entity’s obligations under the breach notification provisions of HIPAA (45 C.F.R. Part 164 Subpart D). Business Associate shall also comply with all applicable state breach notification laws, including notice to the Texas Attorney General under Tex. Bus. & Com. Code §521.053.
2.5.2.
Privacy Breaches. With respect to any incident not subject to reporting under § 2.5.1 of the Agreement, Business Associate shall promptly report to Covered Entity any use or disclosure of Protected Health Information of which it becomes aware that is not permitted or required by the Agreement.
2.5.3.
Security Incidents. With respect to any incident not subject to reporting under §§ 2.5.1 or §§ 2.5.2 of the Agreement, Business Associate shall report to Covered Entity any successful (i) unauthorized access, use, disclosure, modification, or destruction of Covered Entity’s Electronic Protected Health Information, or (ii) unauthorized interference with system operations in Business Associate’s information system, of which Business Associate becomes aware. Business Associate shall, upon Covered Entity’s written request, provide Covered Entity with Business Associate’s periodic report of attempted, but unsuccessful (i) unauthorized access, use, disclosure, modification, or destruction of Covered Entity’s Electronic Protected Health Information, or (ii)unauthorized interference with system operations in Business Associate’s information systems, of which Business Associate becomes aware.
2.6.
Business Associate agrees to ensure that any agent, including a subcontractor, to whom it provides Protected Health Information, agrees in writing to the same restrictions and conditions that apply through the Agreement to Business Associate with respect to Protected Health Information, including all requirements under 45 C.F.R. §164.504(e)(2) and the HITECH Act.
2.7.
Business Associate agrees to make its internal practices, books and records relating to the use and disclosure of Protected Health Information available to Covered Entity, or at the request of Covered Entity to the Secretary, in a timely manner, for purposes of the Secretary determining Covered Entity’s and Business Associate’s compliance with the Privacy Rule.
2.8.
Business Associate agrees to document disclosures of Protected Health Information, and information related to such disclosures, as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 C.F.R. § 164.528. Business Associate agrees to implement an appropriate record keeping process that will track, at a minimum, the following information: (i) the date of the disclosure; (ii) the name of the entity or person who received the Protected Health Information, and if known, the address of such entity or person; (iii) a brief description of the Protected Health Information disclosed; and (iv) a brief statement of the purpose of such disclosure which includes an explanation of the basis for such disclosure.
2.9.
Business Associate agrees to provide to Covered Entity or an Individual, in a time and manner designated by Covered Entity, information collected in accordance with Section 2.8 of the Agreement, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information during the seven (7) years prior to the date on which the accounting was requested, in accordance with 45 C.F.R. § 164.528.
2.10.
Business Associate shall not de-identify or re-identify Protected Health Information except as expressly authorized in writing by Covered Entity and in compliance with 45 C.F.R. §164.514.
2.11.
In the event Business Associate receives a subpoena, court or administrative order or administrative order or other discovery request or mandate for release of Protected Health Information, Business Associate shall notify Covered Entity of the request as soon as reasonably practicable after receipt of such request.
3.
Permitted Uses and Disclosures by Business Associate.
3.1.
General Use. Except as otherwise limited in the Agreement, Business Associate may use or discloseProtected Health Information to perform functions, activities, or services for, or on behalf of, Covered Entity,provided that such use or disclosure would not violate the Privacy Rule or the HITECH Act if done by CoveredEntity.
3.2.
Specific Use and Disclosure Provisions.
3.2.1.
Except as otherwise limited in the Agreement, Business Associate may use Protected Health Information for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate.
3.2.2.
Except as otherwise limited in the Agreement, Business Associate may disclose Protected Health Information for the proper management and administration of Business Associate, provided that disclosures are required or permitted by law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
3.2.3.
Except as otherwise limited in the Agreement, Business Associate may use Protected Health Information to provide Data Aggregation services to Covered Entity as permitted by 45 C.F.R. §164.504(e)(2)(i)(B).
3.2.4.
Business Associate may use Protected Health Information to report violations of law to appropriate Federal and State authorities, consistent with 45 C.F.R. § 164.502(j)(1).
3.2.5.
Notwithstanding the foregoing, Business Associate shall not: (i) use or disclose Protected Health Information for fundraising or marketing purposes except as permitted by the Privacy Rule; (ii)disclose Protected Health Information to a health plan for payment or health care operations purposes if Business Associate is made aware of a patient’s request for a special restriction and patient has paid out of pocket in full for the health care item or service to which the Protected Health Information solely relates; or (iii) directly or indirectly receive remuneration in exchange for Protected Health Information, except as permitted by the HITECH Act.
The prohibition in Section 3.2.5(iii) shall not affect payment by Covered Entity to Business Associate for services provided pursuant to the Services Agreement.
4.
Obligations of Covered Entity.
4.1.
Covered Entity shall notify Business Associate of any limitations(s) in the notice of privacy practices of Covered Entity in accordance with 45 C.F.R. § 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of Protected Health Information.
4.2.
Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by Individual to use or disclose Protected Health Information, to the extent that such changes may affect Business Associate’s use or disclosure of Protected Health Information.
4.3.
Covered Entity shall notify Business Associate of any restriction to the use or disclosure of Protected Health Information that Covered Entity has agreed to in accordance with 45 C.F.R. § 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of Protected Health Information.
4.4.
Covered Entity shall not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under the Privacy Rule if done by Covered Entity, except as specifically allowed by section 3.2 of the Agreement.
5.
Term and Termination.
5.1.
Term. The Term of the Agreement shall be effective as of the date it is executed, and shall terminate when all of the Protected Health Information provided by Covered Entity to Business Associate, or created, received, maintained or transmitted by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy Protected Health Information, protections are extended to such information, in accordance with the termination provisions in this Section.
5.2.
Covered Entity’s Termination for Breach. As provided for under 45 CFR § 164.504(e)(2)(iii), the Covered Entity may immediately terminate this Agreement and any related Services Agreements if the Covered Entity makes the determination that the Business Associate has breached a material term of this Agreement. Alternatively, the Covered Entity may choose to:
5.2.1.
Provide an opportunity for Business Associate to cure the breach or end the violation and terminate the Agreement if Business Associate does not cure the breach or end the violation within the time specified by Covered Entity; or
5.2.2.
Immediately terminate the Agreement if Business Associate has breached a material term of the Agreement and cure is not possible.
5.3.
Business Associate’s Termination for Breach. Upon Business Associate’s knowledge of a material breach ofthe terms of the Agreement by Covered Entity, Business Associate shall:
5.3.1.
Provide an opportunity for Covered Entity to cure the breach or end the violation and terminate the Agreement if Covered Entity does not cure the breach or end the violation within the time specified by Business Associate;
5.3.2.
Immediately terminate the Agreement if Covered Entity has breached a material term of the Agreement and cure is not possible; or
5.4.
Effect of Termination
5.4.1.
Except as provided in paragraph 5.4.2 of this section, upon termination of the Agreement, for any reason, Business Associate shall return or destroy all Protected Health Information. This provision shall apply to Protected Health Information that is in the possession of subcontractors or agents of Business Associate. Business Associate shall retain no copies of the Protected Health Information.
5.4.2.
In the event that return or destruction of the Protected Health Information is infeasible, Business Associate shall extend the protections of the Agreement to such Protected Health Information and limit further uses and disclosures of such Protected Health Information to those purposes that make the return or destruction feasible, for so long as Business Associate maintains such Protected Health Information. Upon destruction, Business Associate shall provide Covered Entity with written certification of the method and date of destruction.
6.
Miscellaneous.
6.1.
Term. No provision of the Agreement may be modified except by a written document signed by a duly authorized representative of the parties. The parties agree to amend the Agreement, as appropriate, to conform to any new or revised legislation, rule and regulations to which Covered Entity is subject now or in the future including, without limitation, the Privacy Rule, Security Standards or Transactions Standards(collectively “Laws”). If within ninety (90) days of either party first providing written notice to the other of the need to amend the Agreement to comply with Laws, the parties, acting in good faith, are i) unable to mutually agree upon and make amendments or alterations to the Agreement to meet the requirements in question, or ii) alternatively, the parties determine in good faith that amendments or alterations to the requirements are not feasible, then either party may terminate the Agreement upon thirty (30) days written notice.
6.2.
Assignment. No party may assign or transfer any or all of its rights and/or obligations under the Agreement or any part of it, nor any benefit or interest in or under it, to any third party without the prior written consent of the other party, which shall not be unreasonably withheld.
6.3.
Survival. The respective rights and obligations of Business Associate under Section 5.4.2 of the Agreement shall survive the termination of the Agreement.
6.4.
Interpretation. Any ambiguity in the Agreement shall be resolved to permit Covered Entity to comply with the Privacy Rule and Security Standards.
6.5.
Third Party Rights. The terms of the Agreement are not intended, nor should they be construed, to grant any rights to any parties other than Business Associate and Covered Entity.
6.6.
Third Party Rights. The Agreement constitutes the entire agreement of the parties with respect to the parties’ compliance with federal and/or state health information confidentiality laws and regulations, as well as the parties’ obligations under the business associate provisions of 45 C.F.R. parts 160 and 164. The Agreement supersedes all prior or contemporaneous written or oral memoranda, arrangements, contracts, or understandings between the parties hereto relating to the same. The Agreement does not supersede any prior or contemporaneous written or oral memoranda, arrangements, contracts or understandings between the parties hereto relating to the confidentiality of other Covered Entity proprietary and/or confidential information that is not covered by the above Laws relating to health information protection.
6.7.
Minimum Necessary. Covered Entity and Business Associate shall adhere to all required standards with respect the “minimum necessary” requirements for uses, disclosures and requests for protected health information under the Privacy Rule.
6.8.
Notice. All notices required under the Agreement shall be in writing and shall be deemed to have been given on the next day by fax or other electronic means or upon personal delivery, or in ten (10) days upon delivery in the mail, first class, with postage prepaid. Notices shall be sent to the addressees indicated below unless written notification of change of address shall have been given.
6.9.
Governing Law. This Agreement is made, entered into, and executed in the State of Texas and shall be governed by and construed in accordance with the laws of the State of Texas applicable to agreements made and to be performed entirely within the State of Texas. In the event of any conflict between state law and federal HIPAA/HITECH requirements, federal law shall control. The parties hereto also here by irrevocably and unconditionally consent to submit to the exclusive jurisdiction of the Supreme Court of the State of Texas, County of Denton for any actions, suits or proceedings arising out of or relating to this Agreement and the transactions contemplated hereby (and each party hereto agrees not to commence any action, suit or proceeding relating thereto except in such courts).
6.10.
Owner of Protected Health Information. Under no circumstances shall Business Associate be deemed in any respect to be the owner of any Protected Health Information used or disclosed by or to Business Associate pursuant to the Terms of the Agreement.
For privacy or compliance inquiries, please contact:
Aloha Practice Management, Inc.
5000 Eldorado Pkwy, Ste 150-117, Frisco, TX 75033
Email: privacy@alohaaba.com