If Customer is a Covered Entity or a business associate and includes Protected Health Information in Customer Data provided to Dental Intelligence, Inc. as a business associate or sub-business associate, the Customer Terms of Service between the parties (the “Terms”) will automatically incorporate the terms of this Business Associate Agreement (“BAA”) as part of the overall agreement between the parties. If there is any conflict between a provision in this BAA and a provision in the Terms, this BAA will control. In this BAA, Customer is referred to as “Covered Entity” and Dental Intelligence, Inc. or Dental Intel is referred to as “Business Associate.”
Unless otherwise defined in this BAA, all capitalized words, like PHI, have the meanings set forth in the HIPAA Privacy and Security Rules, 45 C.F.R. Parts 160, 162 and 164, as modified from time to time.
WHEREAS, Business Associate has been engaged by Covered Entity to perform certain services under the Terms, wherein Business Associate may need to access, use and/or disclose PHI received from Covered Entity as a business associate; and
WHEREAS, the parties desire to ensure that their respective rights and responsibilities under the Terms are in accordance with applicable federal statutory and regulatory requirements relating to the access, use and disclosure of Protected Health Information (or “PHI”), including, without limitation, the Standards for Privacy of Individually Identifiable Health Information, and the Security Standards, collectively codified at 45 C.F.R. Parts 160, 162 and 164 (respectively the “Privacy Standards” and “Security Standards” ) under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act, as set forth in Subtitle D of the American Recovery and Reinvestment Act of 2009 (“HITECH”); and
WHEREAS, the purpose of this BAA is to satisfy the applicable standards and requirements of HIPAA, HITECH, the Privacy Standards and the Security Standards and regulations thereunder;
NOW, THEREFORE, in consideration of the foregoing recitals and the mutual covenants and BAA set forth herein, Business Associate and Covered Entity agree as follows:
a. “Business Associate” shall generally have the same meaning as the term “business associate” at 45 CFR 160.103, and in reference to the party to this BAA, shall mean Dental Intelligence, Inc.
b. “Covered Entity” shall generally have the same meaning as the term “covered entity” at 45 CFR 160.103, and in reference to the party to this BAA, shall mean the party identified as the Covered Entity in the first paragraph above.
c. "Electronic Health Record" shall have the same meaning as the term "electronic health record" in the American Recovery and Reinvestment Act of 2009, § 13400(5).
d. “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164 and regulations issued thereunder, as may be expanded by HITECH.
e. “Protected Health Information” or “PHI” has the meaning given to Protected Health Information in the HIPAA Rules.
f. Other Terms. The following terms used in this BAA shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Electronic Protected Health Information (or “Electronic PHI”), Electronic Transactions Rule, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Required by Law, Secretary, Security Incident, Subcontractor, Transaction, Unsecured Protected Health Information, and Use.
g. Regulatory References. A reference in this BAA to a section in the HIPAA Rules means the section as then in effect or as amended.
2. Scope: This BAA sets forth the terms and conditions pursuant to which any and all PHI, which is provided, created, exchanged or received by and between Business Associate and Covered Entity will be handled. Business Associate and Covered Entity will comply with all applicable laws, including those governing the creation, use, disclosure, access, storage, and maintenance of PHI.
3. Duties and Responsibilities of Business Associate: Business Associate agrees to:
- Use and Disclosure of PHI. Not Use or Disclose PHI other than as permitted or required by this BAA, as set forth in Section 4.a below, or as required by applicable law;
- Safeguards. Use reasonable and appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 and HITECH with respect to electronic PHI, to protect the security of all PHI received from Covered Entity against Security Incidents, prohibited Uses or Disclosures of PHI or other misuse of PHI, as required by the HIPAA Rules;
- Required Reporting. Report to Covered Entity, within thirty (30) days, any prohibited Use or Disclosure of PHI received from Covered Entity of which Business Associate becomes aware, by Business Associate, any of its employees, Subcontractors or agents, or any third party receiving or obtaining such PHI from or through Business Associate, including Breaches of Unsecured Protected Health Information, in addition to any other reporting obligations of Business Associate under the HIPAA Rules, and report any Security Incident of which it becomes aware; provided, however, that the parties acknowledge and agree that from time to time Unsuccessful Security Incidents may occur, that this section constitutes notice to Covered Entity for such incidents, and that no additional notice to Covered Entity is required for such incidents. “Unsuccessful Security Incidents” means any pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denial of service attacks, and/or comparable attacks or attempts, as long as no such incident results in unauthorized access, Use or Disclosure of PHI. Such reports will include a description of the PHI used or disclosed and the nature of the Use or Disclosure, to the extent such information is known by Business Associate;
- Subcontractors. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any Subcontractors that create, receive, maintain, or transmit PHI or Electronic PHI on behalf of Business Associate agree to same restrictions, conditions, and requirements that apply to Business Associate with respect to such PHI or Electronic PHI; including the obligation to report to Business Associate any instances of which it is aware of violation of the BAA with respect to PHI or Electronic PHI;
- Individual and Third Party Requests. If Business Associate receives a request from an Individual or any third party to inspect, obtain a copy of, or amend PHI, Business Associate will forward such request in writing to Covered Entity within five (5) business days of receiving the request. Covered Entity will be responsible for making all determinations regarding the third party request for PHI; Business Associate will neither make such determinations nor release PHI to a third party pursuant to such a request, except if and to the extent required by the HIPAA Rules;
- Designated Record Sets. If Business Associate’s services under the Terms require it to maintain a Designated Record Set, then:
- within ten (10) business days of Covered Entity’s request to Business Associate for a copy of PHI, Business Associate will provide the requested PHI to Covered Entity, as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.524; and
- Business Associate will make any amendment(s) to PHI in a Designated Record Set as directed or agreed to by Covered Entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.526;
- Accounting of Disclosures. Maintain and, within thirty (30) days of receiving a request, or sooner if Required by Law, make available the information required to provide an accounting of disclosures to either Covered Entity or the Individual as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.528, for a period of at least six (6) years following the date of termination of this BAA;
- Comply with Applicable Obligations of Covered Entity. To the extent Business Associate is to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to Covered Entity in the performance of such obligation(s);
- Books and Records. Make its internal practices, books, and records relating to the Use and Disclosure of Covered Entity’s PHI available to the Secretary for purposes of determining compliance with the HIPAA Rules. Neither Business Associate nor Covered Entity waives any attorney-client, accountant-client, or other legal privilege or confidentiality as a result of this Section 3.i; and
- Training. Business Associate will require each employee who will have access to PHI of Covered Entity, to comply with the restrictions and conditions applicable to Business Associate herein. Business Associate will train its employees who may have access to PHI regarding the terms and conditions of this BAA and their obligations under the HIPAA Rules.
- Electronic PHI. Business Associate will comply with the Security Standards and will use appropriate administrative, technical, and physical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of Electronic PHI that Business Associate creates, receives, maintains, or transmits on Covered Entity's behalf, as required by the Security Standards. Business Associate shall review and modify the security measures implemented in accordance with the above as needed to continue provision of reasonable and appropriate protection of Electronic PHI. Business Associate shall update documentation of such security measures in accordance with 45 C.F.R. § 164.316(b)(2)(iii) and shall designate a security officer and undertake appropriate training of its personnel in accordance with the Security Standards.
- Compliance with Electronic Transactions Rule. If Business Associate conducts in whole or part electronic Transactions on behalf of Covered Entity for which the Department of Health and Human Services has established standards, Business Associate shall comply, and will require any Subcontractor it involves with the conduct of such Transactions to comply, with each applicable requirement of the Electronic Transactions Rule.
4. Permitted Uses and Disclosures by Business Associate:
- Permitted Uses and Disclosures. Business Associate may only Use or Disclose PHI received from Covered Entity:
(i) as required to perform services for Covered Entity as specified under the Terms or other agreement between the parties;
(ii) for Business Associate’s proper management and administration (including improving its services), or to carry out the legal responsibilities of Business Associate, provided the disclosures are Required by Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and Used or further Disclosed only as Required by Law or for the purposes for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached;
(iii) to provide Data Aggregation services relating to the Health Care Operations of Covered Entity, if so provided under the Terms or otherwise agreed in writing by the parties; and/or
(iv) to create de-identified information, in accordance with the standards set forth in 45 CFR 164.514(a)-(c), and to use and disclose such de-identified information for any purpose permitted by law.
- Required Uses and Disclosures. Business Associate shall disclose PHI (i) when required by the Secretary of HHS under 45 C.F.R. Part 160, Subpart C to investigate or determine Business Associate’ compliance with Subchapter C of 45 C.F.R., Subtitle A, and (ii) to Covered Entity, the individual or the individual's designee, as necessary to satisfy Covered Entity's obligations under 45 C.F.R. § 164.524(c)(2)(ii) and (3)(ii) with respect to the individual's request for an electronic copy of his or her PHI.
- Access. Business Associate will make available PHI in accordance with 45 C.F.R. § 164.524, upon request from Covered Entity, so that Covered Entity may meet its access obligations under 45 C.F.R. § 164.524.
- Minimum Necessary. Business Associate will, in its performance of the functions, activities, services, and operations specified above, make reasonable efforts to use, to disclose, and to request only the minimum amount of the PHI reasonably necessary to accomplish the intended purpose of the use, disclosure or request, except that Business Associate will not be obligated to comply with this minimum-necessary limitation of 45 C.F.R. § 164.502(b) if neither Business Associate nor Covered Entity is required to limit its use, disclosure or request to the minimum necessary. Business Associate and Covered Entity acknowledge that the phrase "minimum necessary" shall be interpreted in accordance with 45 C.F.R. § 164.502(b)..
- Subpart E. Business Associate may not Use or Disclose PHI in a manner that would violate Subpart E of 45 CFR Part 164 if done by Covered Entity, except for the specific Uses and Disclosures set forth in Section 4.a.
5. Obligations of Covered Entity:
- Notice of Privacy Practices. Covered Entity shall notify Business Associate of any limitation(s) in the Notice of Privacy Practices of Covered Entity under 45 CFR 164.520, to the extent that such limitation may affect Business Associate’s Use or Disclosure of PHI.
- Notice of Changes in Consent. Covered Entity shall notify Business Associate of any changes in, or revocation of, the permission by an Individual to Use or Disclose his or her PHI, to the extent that such changes may affect Business Associate’s Use or Disclosure of PHI.
- Notice of Restrictions. Covered Entity shall notify Business Associate of any restriction on the Use or Disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 CFR 164.522, to the extent that such restriction may affect Business Associate’s Use or Disclosure of PHI.
- Permitted Requests. Covered Entity will not request or require Business Associate to Use or Disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity.
6. Term and Termination:
- Term. The Term of this BAA shall begin upon the effective date of the Terms and shall continue in effect until terminated as provided herein and until Business Associate returns or destroys all PHI of Covered Entity.
- Termination at End of Business Association. This BAA will automatically terminate without further action of the parties upon the termination or expiration of the business association between Business Associate and Covered Entity.
- Termination for Cause. If either party materially breaches this BAA, the other party may terminate this BAA and, at its election, the underlying Terms, subject to thirty (30) days prior written notice and opportunity to cure the breach.
- Effect of Termination. Within thirty (30) days of the termination of this BAA, Business Associate will either return to Covered Entity or, if agreed to by Covered Entity, destroy all PHI received from Covered Entity or created, maintained, or received by Business Associate on behalf of Covered Entity, that Business Associate still maintains in any form (including any information in the possession of any employee, Subcontractor or other agent of Business Associate). Upon request of Covered Entity, Business Associate will provide a certificate to Covered Entity acknowledging such destruction. Business Associate will thereafter retain no written, digital, back-up or other copies of any PHI of Covered Entity. Notwithstanding the foregoing, if the return or destruction of PHI upon termination is not feasible, Business Associate shall so inform Covered Entity and will continue to maintain the security and privacy of such Protected Health Information in a manner consistent with the obligations of this BAA and as required by applicable law, for so long as Business Associate is in possession of such information. Business Associate will return or destroy such retained PHI as soon as is reasonably feasible. Business Associate may retain all de-identified information created prior to the date of termination of this BAA. The obligations of Business Associate under this Section 6 shall survive the termination of this BAA.
7. Ownership: All PHI that Covered Entity discloses to Business Associate pursuant to this BAA is and will remain the property of Covered Entity.
8. Limitation of Liability. NOTWITHSTANDING ANY OTHER PROVISION IN THIS BAA, UNDER NO CIRCUMSTANCES WILL BUSINESS ASSOCIATE HAVE ANY OBLIGATION OR LIABILITY HEREUNDER FOR ANY INCIDENTAL, INDIRECT, CONSEQUENTIAL, COLLATERAL, EXEMPLARY, PUNITIVE OR SPECIAL DAMAGES INCURRED BY COVERED ENTITY (INCLUDING DAMAGES FOR LOST BUSINESS, LOST PROFITS, COSTS OF COVER, COSTS OF DELAY, OR DAMAGES TO BUSINESS REPUTATION), REGARDLESS OF HOW SUCH DAMAGES ARISE, WHETHER OR NOT BUSINESS ASSOCIATE WAS ADVISED SUCH DAMAGES MIGHT ARISE, OR THE FAILURE OF THE ESSENTIAL PURPOSE OF ANY LIMITED REMEDY. IN NO EVENT SHALL BUSINESS ASSOCIATE HAVE ANY OBLIGATION, OR BE LIABLE FOR ANY DAMAGES, DIRECT OR OTHERWISE, UNDER THIS BAA IN EXCESS OF THE TOTAL AMOUNTS PAID BY COVERED ENTITY TO BUSINESS ASSOCIATE PURSUANT TO THE TERMS. These limitations are cumulative; the sum of multiple claims may not exceed such limit.
- Assignment; Binding Effect: This BAA is personal to Business Associate and Covered Entity and may not be assigned or delegated by either party without the prior written consent of the other party in each instance; provided, however, that in the event of a permitted assignment of the Terms, this BAA may be assigned together with the Terms. This BAA shall be binding upon and shall inure to the benefit of the parties hereto and their respective representatives, successors, and permitted assigns.
b. Entire BAA; Amendment: This BAA contains the entire BAA between the parties, and supersedes all prior or contemporaneous BAAs, understandings, or representations with respect to the subject matter hereof. This BAA may be amended only by written BAA of the parties. Business Associate and Covered Entity agree to amend this BAA to the extent necessary to allow both parties to comply with the HIPAA Rules as they may be amended or recodified from time to time, or to comply with other applicable regulations or statutes for the protection of PHI.
c. Severability. If any term or provision of this BAA shall to any extent be invalid or unenforceable, the remainder of this BAA shall not be affected thereby and each term and provision of this BAA shall be valid and enforced to the fullest extent permitted by law.
d. Conflict: The terms and provisions of this BAA shall supersede any other conflicting or inconsistent terms and provisions in the Terms, including any other attachments thereto and documents incorporated therein by reference.
e. Choice of Law and Venue: This BAA shall be construed in accordance with the laws of the State of Utah, without giving effect to the choice of law provisions thereof. Venue for any action or proceeding related to this BAA shall be in the state or federal courts of the state of Utah, as appropriate. The parties agree to the personal jurisdiction and venue of such courts.
f. Notices. Any notice or report hereunder shall be deemed given if delivered or sent by first class mail, postage prepaid, addressed to the other party at the address set forth in the Terms, or at such other address as designated by the party by written notice, or by commercial delivery service, or by confirmed email or facsimile. If notice is given by mail and the notice affects the other parties' rights hereunder, the effective date of the notice shall be seven (7) days after the date of mailing or the date the notice is received, whichever is earlier.
g. Interpretation. Any ambiguity in this BAA shall be interpreted to permit compliance with the HIPAA Rules.