Business Associate Agreement
This Business Associate Agreement (“BAA”) applies to the extent Customer is a Covered Entity or a Business Associate and triValence is a Business Associate or Subcontractor of Customer because triValence creates, receives, maintains, or transmits PHI for or on behalf of Customer under the Agreement. To the extent of any conflict or inconsistency between this BAA and any other provision of the Agreement, this BAA will govern with respect to PHI.
“Agreement” means the agreement as defined in the Order Form.
“Business Associate” has the definition given to it under HIPAA.
“Breach” has the definition given to it under HIPAA.
“Covered Entity” has the definition given to it under HIPAA.
“Designated Record Set” has the definition give to it under HIPAA.
“HIPAA” means the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act of the American Recovery and Reinvestment Act of 2009, and their implementing regulations, as amended from time to time.
“Protected Health Information” or “PHI” has the definition given to it under HIPAA, but is limited to PHI within Customer Data to which triValence has access through the Platform in connection with the Customer’s permitted use of the Platform. References to PHI in this BAA include electronic PHI.
“Required by Law” has the definition given to it under HIPAA.
“Security Incident” has the definition given to it under HIPAA.
“Subcontractor” has the definition given to it under HIPAA. Other capitalized terms used in this BAA without definition will have the respective meanings given to such terms under HIPAA.
- PERMITTED USES AND DISCLOSURES
2.1. Use and Disclosure. Except as otherwise stated in this BAA, triValence may use and disclose PHI only (a) as permitted or required by the Agreement or this BAA, or (b) as Required by Law, and triValence will not otherwise use or disclose PHI. Except as set forth in Sections 2.2, 2.3, and 2.5 of this BAA, triValence will not use or disclose PHI in any manner that would constitute a violation of HIPAA if so used or disclosed by Customer.
2.2. Uses for Proper Management and Administration. triValence may use PHI for triValence’s proper management and administration and to carry out triValence’s legal responsibilities.
2.3. Disclosures for Proper Management and Administration. triValence may disclose PHI to a third party for triValence’s proper management and administration, provided that the disclosure is Required by Law or triValence obtain reasonable assurances from the third party to whom PHI will be disclosed that (a) it will be held confidentially, (b) used or further disclosed only for the purpose for which it was disclosed to the third party, and (c) the third party will notify triValence of any instances of which it is aware in which the confidentiality of the PHI has been breached.
2.4. Reporting Violations of Law. triValence may use PHI to report violations of law to appropriate federal and state authorities, consistent with 45 C.F.R. 164.502(j)(1).
2.5. Data Aggregation. triValence may use PHI to provide Data Aggregation services if required or permitted under the Agreement.
2.6. De-Identification. triValence may use PHI to create de-identified health information in accordance with the HIPAA de-identification standards. triValence may disclose de-identified health information for any purpose permitted by law.
- TRIVALENCE’S OBLIGATIONS
3.1. No Other Use or Disclosure. triValence will not use or further disclose PHI other than as permitted or required by the Agreement or as Required by Law.
3.2. Privacy Standards. To the extent triValence is to carry out any of Customer’s obligations under the HIPAA privacy standards, triValence will comply with the requirements of the HIPAA privacy standards that apply to Customer in the performance of such obligation.
3.3. Safeguards. triValence will use appropriate safeguards and comply, where applicable, with the HIPAA security standards with respect to electronic PHI, to prevent use or disclosure of the PHI other than as provided for by the Agreement and this BAA.
3.4. Unauthorized Uses and Disclosures; Breaches. triValence will report to Customer any use or disclosure of PHI not permitted by this BAA of which triValence becomes aware, including Breaches of Unsecured PHI as required by 45 CFR § 164.410.
3.5. Security Incidents. triValence will report to the Customer any successful Security Incident of which triValence becomes aware. Notwithstanding the foregoing, notice is hereby deemed provided, and no further notice will be given, regarding the existence of unsuccessful Security Incidents, such as pings and other broadcast attacks on a firewall, denial of service attacks, port scans, unsuccessful login attempts, malware such as worms or viruses, or interception of encrypted information where the key is not compromised, or any combination of the above.
3.6. Subcontractors. triValence will enter into a written agreement meeting the requirements of 45 CFR §§ 164.504(e) and 164.314(a)(2) with each Subcontractor that creates, receives, maintains, or transmits PHI on triValence’s behalf that obligates the Subcontractor to comply with restrictions and conditions that are at least as restrictive as those that apply to triValence under this BAA.
3.7. Access to PHI. To the extent triValence maintains PHI in a Designated Record Set, within 15 business days of receipt of a written request from Customer, triValence will make PHI contained in such Designated Record Set available to Customer so that Customer may comply with 45 CFR § 164.524. Between Customer and triValence, Customer is solely responsible for making decisions regarding whether to approve a request for access to PHI.
3.8. Amendments to PHI. To the extent triValence maintains PHI in a Designated Record Set, within 15 business days of receipt of a written request from Customer, triValence will make PHI contained in such Designated Record Set available to Customer for amendment and incorporate any such amendments to such PHI in accordance with 45 CFR § 164.526. Between Customer and triValence, Customer is solely responsible for making decisions regarding whether to approve a request for amendment to PHI.
3.9. Accounting of Disclosures. Within 30 business days of receipt of written notice from Customer, triValence will make available to Customer the information required for Customer to provide an accounting of disclosures in accordance with 45 CFR § 164.528 of which triValence are aware. Because triValence cannot readily identify which Individuals are identified or what types of PHI are included in Customer Data, the Customer will be solely responsible for identifying which Individuals, if any, may have been included in Customer Data that triValence has disclosed and for providing a brief description of the PHI disclosed.
3.10. Books and Records. triValence will make triValence’s internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary for purposes of determining Customer’s compliance with HIPAA.
3.11. Minimum Necessary. To the extent required by the “minimum necessary” requirements of HIPAA, triValence will only request, use, and disclose the minimum amount of PHI necessary to accomplish the purpose of the request, use, or disclosure.
- CUSTOMER’S OBLIGATIONS
4.1. Permissible Requests. Customer will not request that triValence use or disclose PHI in any manner that would not be permissible under HIPAA if done directly by Customer (except as set forth in Sections 2.2, 2.3, and 2.5 of this BAA).
4.2. Minimum Necessary. When Customer disclose PHI to triValence, Customer will provide only the minimum amount of PHI necessary for the accomplishment of Customer’s purpose.
4.3. Restrictions; Revocation of Authorization. Customer must promptly notify triValence in writing of any changes in, or revocation of, the permission by an Individual to use or disclose his or her PHI, to the extent that such changes may affect triValence’s use or disclosure of PHI and take affirmative steps to remove such PHI from the Platform.
4.4. Notice of Privacy Practices. Customer must notify triValence in writing of any limitation in any applicable notice of privacy practices in accordance with 45 CFR § 164.520, to the extent that such limitation may affect triValence’s use or disclosure of PHI.
5.1. Termination for Cause. Any other provision of the Agreement notwithstanding, either party (the “Non-Breaching Party”) may terminate this BAA and the Agreement upon 30 days advance written notice to the other party (the “Breaching Party”) if the Breaching Party materially breaches this BAA and such breach is not cured to the reasonable satisfaction of the Non-Breaching Party within such 30-day period.
5.2. Return or Destruction of PHI. Upon expiration or earlier termination of this BAA, triValence will either return or destroy all PHI received from Customer or created or received by triValence on Customer’s behalf and which triValence still maintains in any form. Notwithstanding the foregoing, to the extent that triValence reasonably determines that it is not feasible to return or destroy such PHI, the terms and provisions of this BAA will survive termination of this BAA, and triValence will use or disclose such PHI solely for such purpose or purposes which prevented the return or destruction of such PHI.
- GENERAL PROVISIONS
6.1. HIPAA Amendments. Any future amendments to HIPAA affecting business associate agreements are hereby incorporated by reference into this BAA as if set forth in this BAA in their entirety, effective the later of the effective date of this BAA or such subsequent date as may be specified by HIPAA.
6.2. Regulatory References. A reference in this BAA to a section in HIPAA means the section as it may be amended from time to time.