NOTE: The agreement is for review only and both parties do not enter into any agreement unless the agreement is signed and executed. BAA is only available to supported pricing plans. See mailbox pricing page for details.
This Business Associate Agreement (“Business Associate Agreement”) by and between Virtual Post Solutions, Inc. (“Company”) and the customer ("Customer") is effective as of the first date upon which Company obtains Protected Health Information, as defined below, from Customer. This Business Associate Agreement is intended to provide for the protection of the privacy and security of the Protected Health Information (as defined below in relation to the other service agreements (“Services Agreement”) separately entered into by and between the parties), consistent with the Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191 (1996) as amended by the Health Information Technology for Economic and Clinical Health Act enacted under the American Recovery and Reinvestment Act of 2009, Pub. L. No. 111–5 (2009), implementing regulations promulgated by the U.S. Department of Health and Human Services at 45 C.F.R. Parts 160, 162 and 164 (each as amended, updated or superseded from time to time, collectively, “HIPAA”).
WHEREAS, Customer is a “Covered Entity” as defined by, and subject to, HIPAA, including but not limited to the Standards for Privacy of Individually Identifiable Health Information codified at 45 C.F.R. Parts 160 and 164 (“Privacy Standards”);
WHEREAS, Company and Customer have entered into the Services Agreement, under which Company has agreed to provide certain services for Customer as set forth in the Services Agreement (the “Services”), and, in order to obtain those services, Customer is making certain Protected Health Information (as defined below) accessible to Company;
WHEREAS, the Privacy Standards require that PHI disclosed by a Covered Entity to its “business associates” be subject to certain contractual requirements; and
WHEREAS, Company and Customer are committed to maintaining and protecting the privacy, security and integrity of PHI shared with or created by Company on behalf of Customer.
NOW THEREFORE, in consideration of the mutual promises and covenants contained herein, the sufficiency of which is hereby acknowledged by the parties, the parties agree to amend and supplement the Services Agreement as follows:
As used in this Business Associate Agreement:
1.1 “Protected Health Information” or “PHI” shall, consistent with 45 C.F.R. § 160.103, include any information that (a) was created or received by or on behalf of Customer; (b) identifies or reasonably could be used to identify an individual; and (c) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, but limited solely to information received or created by Company from or on behalf of Customer.
1.2 “Individual” shall mean the person who is the subject of PHI, and shall include a person who qualifies as the Individual’s personal representative under the Privacy Standards, in accordance with 45 C.F.R. § 164.502(g).
1.3 “Designated Record Set” shall, consistent with 45 C.F.R. § 164.501, mean a group of records containing PHI that is maintained by or on behalf of Customer and that either (a) constitutes a health care provider’s medical and billing records or a health plan’s enrollment, payment, claims adjudication and case or medical management records, or (b) is used in whole or in part by or for Customer to make decisions about individuals.
All capitalized terms used in this Business Associate Agreement and not defined elsewhere herein or in the underlying Services Agreement between the parties shall have the same meaning as those terms as used or defined in HIPAA.
2. SERVICES PERFORMED BY COMPANY
Company shall have access to PHI solely to the extent necessary for Company to facilitate Customer’s ability to perform its “health care operations” (as defined in 45 C.F.R. § 164.501) through the provision of the Services. Company shall not create or maintain PHI in any form other than necessary to provide the Services, and Company shall not undertake any transaction on behalf of the Customer with respect to PHI except as so necessary.
3. COMPANY’S RIGHTS AND OBLIGATIONS
3.1 Permitted Uses and Disclosures of PHI. Company may:
use PHI as necessary or appropriate to perform the Services as set forth in the Services Agreement;
disclose PHI to Customer as necessary or appropriate to perform the Services or as otherwise set forth in this Business Associate Agreement;
use PHI as necessary for the proper management and administration of its obligations under the Services Agreement or to carry out its legal responsibilities; and
disclose PHI as necessary for the proper management and administration of Company, provided that disclosures are (i) required by law or (ii) Company obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies Company of any instances of which it is aware in which the confidentiality of the information has been breached.
3.2 Non-Permissible Uses and Disclosures of PHI. Company agrees to not use or disclose PHI other than as permitted by this Business Associate Agreement or as required by law.
3.3 Adequate Safeguards for PHI. Company agrees to implement and maintain appropriate safeguards to prevent the use or disclosure of PHI in any manner other than as permitted in this Business Associate Agreement. Without limiting the foregoing, to the extent applicable to the Services being performed by Company, Company shall establish and maintain, in compliance with HIPAA and any applicable guidance issued pursuant thereto, administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of any PHI that is Electronic Protected Health Information or any other Electronic Protected Health Information maintained or transmitted by Company for or on behalf of Customer, and Company shall establish and maintain policies and procedures and comply with the documentation requirements set forth in HIPAA.
3.4 Reporting Any Impermissible Use or Disclosure. Company agrees to report to Customer any use or disclosure of PHI not provided for by this Business Associate Agreement of which Company becomes aware, including breaches of unsecured PHI as required at 45 CFR 164.410, and any security incident of which it becomes aware.
3.5 Mitigating Harmful Effect. Company agrees to mitigate, to the extent practicable, any harmful effect actually known to Company of any use or disclosure of PHI that is in violation of this Business Associate Agreement.
3.6 Possible Disclosures to Subcontractors. Company agrees that, if Customer requests and the parties agree in writing that PHI should be disclosed by Company to any subcontractor or agent, Company will ensure that such subcontractor or agent agrees to the same restrictions and conditions that apply to Company through this Business Associate Agreement with respect to such PHI.
3.7 Access and Amendment to PHI. Company agrees that, to the extent Customer and Company agree in writing that any PHI held solely within Company’s custody and control constitutes a Designated Record Set, Company will make such PHI available to the Customer, upon request, for (a) access by the Individual or (b) amendment by Customer or (c) as otherwise required by law. In no event, however, shall Customer require that an Individual have access to PHI at Company premises, or that Company otherwise respond to any Individual’s request for access or amendment.
3.8 Accounting for Disclosures. Company agrees that, to the extent that any disclosure might be made by Company that would require an accounting pursuant to 45 C.F.R. § 164.528, Company shall maintain information relating to such disclosures as required by law and shall, upon Customer’s request, provide an accounting of such disclosures to Customer.
3.9 Access by the Secretary of HHS. Company agrees to make its internal practices, books and records relating to the use and disclosure of PHI available to the Secretary of the Department of Health and Human Services (“HHS”) for purposes of determining Customer’s compliance with the Privacy Standards. Unless prohibited to do so by the Secretary of HHS or his or her agents, Company shall notify Customer within ten (10) business days of any request by the Secretary to review such internal practices, books or records.
4. CUSTOMER’S OBLIGATIONS
4.1 Minimum Necessary Disclosures. Customer agrees to disclose to Company only the minimum necessary PHI required for Company to perform the Services.
4.2 Limitation on Requests for Use or Disclosure. Customer agrees not to request Company to use or disclose PHI in any manner that would not be permissible under the Privacy Standards if done by Customer.
4.3 Additional Requirements. Customer shall (i) notify Company of any limitation in Customer’s privacy policies to the extent that such limitation may affect Company’s use or disclosure of PHI, (ii) notify Company of any changes in, or revocation of, permission by an Individual to use or disclose PHI, to the extent that such change may affect Company’s use or disclosure of PHI, (iii) notify Company of any restriction on the use or disclosure of PHI to which Customer has agreed in accordance with HIPAA, to the extent that such restriction may affect Company’s use or disclosure of PHI, and (iv) obtain any authorization or consents as may be required by law for any of the uses or disclosures of PHI necessary for Company to provide the Services.
5. TERM AND TERMINATION
5.1 The term of this Business Associate Agreement shall commence on the Effective Date of the Services Agreement and shall terminate upon termination or expiration of the Services Agreement, unless otherwise agreed upon by the parties in writing, including as set forth below.
5.2 If Customer becomes aware of a material breach by Company of this Business Associate Agreement, Customer may terminate those provisions of the Services Agreement that require access by Company to PHI within thirty (30) days after Customer provides written notice to Company of the material breach, provided that Company fails to cure the breach or commence substantial curative actions prior to the end of such thirty (30) notice period. If, following notice by Customer of a material breach by Company, it is determined that cure of the breach is not possible, Customer may immediately terminate those provisions of the Services Agreement requiring access by Company to PHI. If neither termination nor cure is possible, Customer may report the breach to the Secretary of HHS if Customer determines in good faith that such reporting is required under 45 C.F.R. § 164.504(e)(1)(ii)(B).
5.3 Upon termination of this Business Associate Agreement, Company shall return or destroy all PHI in its possession and shall retain no copies of any of the PHI, unless Company determines that returning or destroying the PHI is impossible. If Company does make such a determination, it shall notify Customer of the conditions making return or destruction of the PHI impossible, and, for so long as Company maintains the PHI, it shall extend to the PHI the protections of this Business Associate Agreement and limit further uses and disclosures of the PHI to those purposes that make the return or destruction impossible.
5.4 The parties’ respective rights and obligations following any termination of those provisions of the Services Agreement that require access by Company to PHI shall be as set forth in the Services Agreement.
6.1 Scope of Business Associate Agreement. This Business Associate Agreement relates only to the use, disclosure and protection of PHI to the extent such PHI is disclosed to or received by Company from or on behalf of Customer, and constitutes the complete understanding between the parties relating to the protection and confidentiality of PHI provided to Company by or on behalf of the Customer. To the extent that the provisions of this Business Associate Agreement conflict with the provisions of the Services Agreement, the provisions of this Business Associate Agreement shall control. All other provisions of the Services Agreement shall remain in full force and effect. Without limiting the foregoing and notwithstanding anything in this Business Associate Agreement to the contrary, the parties acknowledge and agree that Company’s aggregate liability to Customer arising from or related to this Business Associate Agreement is subject to the applicable terms and conditions of Customer’s Services Agreement.
6.2 Severability. In the event that any one or more of the provisions of this Business Associate Agreement shall for any reason be held to be invalid, illegal, or unenforceable, the remaining provisions of this Business Associate Agreement shall not be affected thereby.
6.3 Amendments. This Business Associate Agreement may only be amended or modified by written agreement executed between the parties.
6.4 Third Party. This Business Associate Agreement is entered into by the parties specified herein for their own benefit. There is no intent by either party to create or to establish third party beneficiary status or rights or their equivalent in any subcontractor, any of the Customer’s customers or other party which may be affected by the operation of this Business Associate Agreement, and such parties shall not have any right to enforce or enjoy any benefit created or established under this Business Associate Agreement.