HIPAA-compliant partnership agreement for healthcare data protection
This Agreement is made and entered into as of October 01, 2024 (the "Effective Date"), by and between [COVERED ENTITY NAME], LLC (hereinafter "COVERED ENTITY") and TensorLinks Inc., with a principal place of business at 11675 Leona St, Frisco, Tx 75035 (hereinafter "Business Associate").
WHEREAS, reference is made to that certain agreement(s) between COVERED ENTITY and Business Associate and dated October 01, 2024 as may be amended from time to time (the "Services Agreement"), pursuant to which Business Associate performs certain activities or functions on COVERED ENTITY's behalf which may involve Business Associate's access to Protected Health Information, as hereinafter defined;
WHEREAS, COVERED ENTITY and Business Associate desire to protect the privacy and provide for the security of such COVERED ENTITY Protected Health Information as required by state and federal law, including but not limited to the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, and the Health Information Technology for Economic and Clinical Health Act, Public Law 111-05 ("HITECH Act"), and regulations promulgated, or to be promulgated, thereunder (collectively, "HIPAA"); and
WHEREAS, in order for COVERED ENTITY and Business Associate to comply with HIPAA, Business Associate must agree to certain provisions designed to preserve the privacy and security of Protected Health Information obtained by Business Associate in the course of providing services to or on behalf of COVERED ENTITY.
NOW THEREFORE, for good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the parties hereto agree as follows:
In providing services under the Services Agreement and hereunder, Business Associate shall ensure that it acts in compliance with all applicable federal and state laws and regulations including, without limitation, HIPAA, the Health Information Technology for Economic and Clinical Health Act, Public Law 111-005 ("the HITECH Act"), as in effect or as amended.
For the purposes of this Agreement, HIPAA's definitions shall apply, as well as the following terms, which shall have the following meanings:
"Covered Entity PHI" shall mean PHI created or received by Business Associate from or on behalf of COVERED ENTITY.
"Individual" shall have the same meaning as the term "individual" in 45 C.F.R. § 160.103 as in effect or as amended, and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. § 164.502(g), as in effect or as amended.
"Privacy and Security Rule" shall mean the Security Standards for the Protection of Electronic Protected Health Information and the Standards for Privacy of Individually Identifiable Health Information set forth at 45 C.F.R. part 160 and part 164, as in effect or as amended.
"Protected Health Information" or "PHI" shall have the same meaning as the term "protected health information" in 45 C.F.R. § 160.103, as in effect or as amended. For the purposes of this Agreement, PHI and EPHI are collectively referred to as "PHI" or "COVERED ENTITY PHI", unless otherwise specified.
"Secretary" shall mean the Secretary of the Department of Health and Human Services or his or her designee.
"Security Incident" shall mean the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.
The parties acknowledge the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents for which no additional notice to Covered Entity shall be required. "Unsuccessful Security Incidents" shall include, but not be limited to, pings and other broadcast attacks on Business Associate's firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of PHI.
All other capitalized terms used in this Agreement but not otherwise defined will have the same meaning as those terms in the Privacy and Security Rule.
Business Associate agrees and warrants that it may use or disclose COVERED ENTITY PHI only as permitted or required by this Agreement or as required by law. To the extent Business Associate carries out any of COVERED ENTITY's obligations under HIPAA, Business Associate agrees and warrants that it shall comply with the requirements of HIPAA that apply to COVERED ENTITY in the performance of such obligations.
Business Associate agrees and warrants that it may use or disclose PHI for the following purposes only:
Business Associate shall not use or disclose COVERED ENTITY PHI in any manner which would violate the Privacy and Security Rule if so used or disclosed by COVERED ENTITY, and shall assure that its employees, representatives, agents, and contractors agree in writing to adhere to the same restrictions and conditions on the Use, Disclosure, and security of PHI and Personal Information as provided for herein, and specifically do not, use or disclose COVERED ENTITY PHI in any manner which would violate the Privacy and Security Rule if so used or disclosed by COVERED ENTITY.
Business associate shall, to the extent required by the "minimum necessary" requirements of HIPAA, request, use and disclose the minimum amount of COVERED ENTITY PHI necessary to accomplish the purpose of the request, use or disclosure. To the extent practicable, Business Associate shall not request, use or disclose any Direct Identifiers (as defined in the limited data set standard of HIPAA) and shall comply with the minimum necessary guidance to be issued by the Secretary pursuant to the HITECH Act.
Business Associate agrees and warrants that it shall not Use or Disclose PHI in any manner that would constitute an impermissible Use or Disclosure under the HIPAA Regulations, particularly Subpart E of 45 CFR Part 164, if so used or disclosed by COVERED ENTITY. Business Associate also agrees and warrants that it shall not Use or Disclose PHI for Fundraising or Marketing purposes or otherwise receive remuneration, either directly or indirectly, in exchange for PHI, except with prior written consent of COVERED ENTITY and as lawfully permitted; however, this prohibition shall not affect payment to Business Associate by COVERED ENTITY for services provided pursuant to the Underlying Agreement(s) between the two. Further, Business Associate agrees and warrants that it shall not Disclose PHI to a Health Plan for Payment or Health Care Operations if the patient has requested this special restriction and has paid out of pocket in full for the health care item or service to which the PHI solely relates.
Business Associate agrees and warrants that it shall comply with the HIPAA Security Rule with respect to COVERED ENTITY PHI. Business Associate agrees that it will use appropriate safeguards to prevent the use or disclosure of COVERED ENTITY PHI in a manner contrary to the terms and conditions of this Agreement and will implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of COVERED ENTITY PHI that Business Associate creates, receives, maintains, or transmits on behalf of COVERED ENTITY. Such safeguards shall include, but not be limited to those required by applicable law, including, but not limited to, the Privacy and Security Rule. Business Associate shall ensure that: only those employees and agents of Business Associate that have a business need to know COVERED ENTITY PHI are provided with access to it; access is limited to the minimum amount necessary to accomplish the intended purpose of the access; all employees and agents of Business Associate handling COVERED ENTITY PHI are educated on how to maintain its confidentiality and the requirements of this Agreement; and all COVERED ENTITY PHI is stored and transmitted in a secure environment and in a manner that prevents its inadvertent disclosure.
Business Associate shall mitigate, to the extent practicable, any materially harmful effect that is known to Business Associate of a use or disclosure, including a Breach, of COVERED ENTITY PHI by Business Associate, in violation of this Agreement or HIPAA.
Business Associate shall, without unreasonable delay, but in no event later than five (5) business days after becoming aware of any acquisition, access, use, or disclosure of Protected Health Information in violation of this Agreement by Business Associate, its employees, other agents or contractors or by a third party to which Business Associate disclosed COVERED ENTITY PHI (each, an "Unauthorized Use or Disclosure"), report such use or disclosure, in writing, to COVERED ENTITY. Without limiting the foregoing, Business Associate shall report to COVERED ENTITY any acquisition, access, use, or disclosure that is potentially reportable under Sections 6.1–6.3 of this Agreement, even if it determines that there is a low probability that the PHI or Personal Information, as applicable, has been compromised.
Business Associate shall, without unreasonable delay, but in no event later than five (5) business days after becoming aware of any Security Incident, report it, in writing, to COVERED ENTITY.
Business Associate shall, without unreasonable delay, but in no event later than five (5) business days after becoming aware of a Breach of COVERED ENTITY PHI (whether secure or unsecured), report such Breach, in writing, to COVERED ENTITY in accordance with 45 C.F.R. § 164.410.
Business Associate shall enter into a written agreement meeting the requirements of 45 C.F.R. §§164.504(e) and 164.314(a)(2) with each Subcontractor (including, without limitation, a Subcontractor that is an agent under applicable law) that creates, receives, maintains or transmits Protected Health Information on behalf of Business Associate. Business Associate shall ensure that the written agreement with each Subcontractor obligates the Subcontractor to comply with restrictions and conditions that are at least as restrictive as the restrictions and conditions that apply to Business Associate under this Agreement.
At the request of COVERED ENTITY, Business Associate agrees and warrants that it shall provide access to COVERED ENTITY PHI in a Designated Record Set to COVERED ENTITY or, as directed by COVERED ENTITY, to an Individual in order to meet the requirements of 45 C.F.R. § 164.524. COVERED ENTITY may, in its sole discretion, deny access to the COVERED ENTITY PHI requested by an Individual.
To the extent Business Associate maintains a Designated Record Set for COVERED ENTITY, Business Associate agrees and warrants that it shall provide to COVERED ENTITY any COVERED ENTITY PHI in that Designated Record Set requested by COVERED ENTITY for amendment as required by 45 C.F.R. § 164.526 within ten (10) days of receipt of such request. Business Associate agrees and warrants that it shall make any amendments to COVERED ENTITY PHI as directed by COVERED ENTITY within thirty (30) days of COVERED ENTITY's request for such amendment, and shall notify COVERED ENTITY, in writing, when such amendment has been completed.
Business Associate agrees and warrants that it shall make its internal practices, books, and records relating to the use and disclosure of COVERED ENTITY PHI received from, or created or received by Business Associate on behalf of, COVERED ENTITY available to COVERED ENTITY, or to the Secretary, in a time and manner designated by COVERED ENTITY or the Secretary, for purposes of the Secretary's determining COVERED ENTITY's and/or Business Associate's compliance with the Privacy and Security Rule. Business Associate shall cooperate with the Secretary if the Secretary undertakes an investigation or other review to determine COVERED ENTITY's or Business Associate's compliance with the Privacy and Security Rule, and shall retain any and all such records, and submit such compliance reports, as may be required by the Secretary or the Privacy and Security Rule.
Business Associate shall document such disclosures of COVERED ENTITY PHI and information related to such disclosures as would be required for COVERED ENTITY to respond to a request by an Individual for an accounting of disclosures of COVERED ENTITY PHI in accordance with 45 C.F.R. § 164.528, as in effect or as amended.
Business Associate agrees and warrants that it shall provide to COVERED ENTITY or an Individual, in a time and manner designated by COVERED ENTITY, such information collected in accordance with Section 11 above to permit COVERED ENTITY to respond to a request by an Individual for an accounting of disclosures of COVERED ENTITY PHI in accordance with 45 C.F.R. § 164.528. Business Associate agrees and warrants that it shall provide, at a minimum, the following information for each disclosure: (a) the date of the disclosure; (b) the name and, if known, address of the entity or person who received the COVERED ENTITY PHI; (c) a brief description of the COVERED ENTITY PHI disclosed; and (d) a brief statement of the purpose of such disclosure which includes an explanation of the basis for such disclosure. Business Associate agrees and warrants that it shall provide information to COVERED ENTITY pursuant to this subsection for all disclosures made within six (6) years prior to the date on which the accounting of disclosures was requested.
Business Associate agrees to notify COVERED ENTITY within five (5) business days of Business Associate's receipt of any request, subpoena, or judicial or administrative order for COVERED ENTITY PHI. To the extent COVERED ENTITY decides to assume responsibility for challenging the validity of such request, Business Associate agrees to cooperate fully with COVERED ENTITY in such challenge.
To the extent applicable, Business Associate represents and warrants that it shall conduct only as Standard Transactions, as defined in 45 C.F.R. Part 162, any electronic transactions that Business Associate conducts on behalf of COVERED ENTITY with other Covered Entities or with any entity that requests a transaction be conducted as a Standard Transaction.
COVERED ENTITY shall notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose COVERED ENTITY PHI, to the extent that such changes may affect Business Associate's use or disclosure of COVERED ENTITY PHI.
COVERED ENTITY shall notify Business Associate of any restriction to the use or disclosure of COVERED ENTITY PHI that COVERED ENTITY has agreed to in accordance with 45 C.F.R. § 164.522, to the extent that such restriction may affect Business Associate's use or disclosure of COVERED ENTITY PHI.
COVERED ENTITY shall not request Business Associate to use or disclose COVERED ENTITY PHI in any manner that would not be permissible under the Privacy and Security Rule if done by COVERED ENTITY, other than as expressly permitted in Sections 3.2(b) and 3.2(c) of this Agreement.
This Agreement shall commence as of the Effective Date, and shall continue in effect until such time as:
In the event Business Associate commits a material breach of the terms of this Agreement, COVERED ENTITY may, in its sole discretion, either (a) provide Business Associate with fifteen (15) days to cure such breach, and if Business Associate fails to cure such breach within such period, COVERED ENTITY shall have the right to immediately terminate this Agreement and the Services Agreement; or (b) terminate this Agreement and the Services Agreement immediately, if cure is not possible, as determined by COVERED ENTITY. Termination pursuant to this Section 16.2 shall be without prejudice to any other rights and remedies that COVERED ENTITY may have for a breach of this Agreement. Business Associate acknowledges and agrees that if termination or cure are not feasible, COVERED ENTITY shall report the violation to the Secretary.
Upon the expiration of this Agreement or in the event of the termination of this Agreement for any reason, each party shall be released from all obligations and liabilities to the other under this Agreement and the Services Agreement occurring or arising after the date of such event, except that the expiration or termination of this Agreement shall not relieve Business Associate of Business Associate's obligations under this Section 17, nor shall it relieve Business Associate or COVERED ENTITY from any liability arising from any breach of this Agreement. The Services Agreement shall also terminate concurrently with the termination or expiration of this Agreement, subject to the survival provisions of that Services Agreement.
Immediately upon expiration or termination of this Agreement for any reason, Business Associate shall return, or destroy, all COVERED ENTITY PHI in its possession without retaining copies thereof. Business Associate shall also be responsible for ensuring the return or destruction of COVERED ENTITY PHI in the possession of Business Associate's subcontractors or agents in accordance with this Section.
In the event that Business Associate determines that returning or destroying the COVERED ENTITY PHI is infeasible, Business Associate agrees and warrants that it shall provide to COVERED ENTITY written notification of the conditions that make return or destruction infeasible. In the event that Business Associate determines that returning or destroying the COVERED ENTITY PHI is infeasible, Business Associate agrees and warrants that it shall extend the protections of this Agreement to such COVERED ENTITY PHI and limit further uses and disclosures of such COVERED ENTITY PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such COVERED ENTITY PHI.
It is expressly understood that Business Associate and Business Associate's employees and agents, if any, are not agents or employees of COVERED ENTITY, and have no authority whatsoever to bind COVERED ENTITY, by contract or otherwise.
Nothing expressed or implied in this Agreement is intended to confer, not shall anything herein confer, upon any person or entity other than the parties hereto any rights, remedies, obligations or liabilities whatsoever.
Notwithstanding anything in this Agreement to the contrary, the provisions of Section 17 shall survive the termination of this Agreement and any existing agreement, including the Services Agreement, between COVERED ENTITY and Business Associate.
Any notice to the other party pursuant to this Agreement shall be deemed provided if sent by first class United States mail, postage prepaid, as follows:
if to COVERED ENTITY: Address Listed Above
with a copy to: Chief Legal Officer (at the same address)
if to Business Associate: 11675 Leona st, Frisco, Tx 75035
The above addresses may be changed by giving notice of such change in the manner set forth in this Section.
The parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for COVERED ENTITY to comply with HIPAA or other applicable law; provided, however, that any regulations applicable to Business Associate or to COVERED ENTITY with respect to Business Associate promulgated following the Effective Date of this Agreement shall be deemed incorporated into this Agreement until such time as the parties enter into an appropriate amendment. COVERED ENTITY may terminate this Agreement upon thirty (30) days written notice in the event that Business Associate does not promptly enter into an amendment that COVERED ENTITY, in its sole discretion, deems sufficient to ensure that COVERED ENTITY will be able to comply with HIPAA.
Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits COVERED ENTITY to comply with HIPAA or other applicable law.
The terms and provisions of this Agreement shall supersede any other conflicting or inconsistent terms in the Services Agreement. All other terms of the Services Agreement between COVERED ENTITY and Business Associate shall remain in full force and effect.
This Business Associate Agreement ensures HIPAA-compliant handling of protected health information and establishes clear protocols for data security and privacy protection.
TensorLinks Inc. Business Associate Agreement
Last Updated: November 22, 2024
