Business Associate Agreement
XRHealth Business Associate Agreement
Last updated on July 13rd, 2023.
This Business Associate Addendum (“Addendum”) is made as of the effective date of the Statement of Work by and between the customer set forth on the Statement of Work (“Customer”) and XRHealth USA, Inc. (“Business Associate”).
RECITALS
1. The purpose of this Addendum is to comply with the business associate requirements of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), its associated regulations (45 CFR Parts 142 and 160-164), and the 2009 Health Information Technology for Economic and Clinical Health (“HITECH”) Act.
2. Customer and Business Associate have entered into a statement of works (hereinafter, the “Agreement”) under which Business Associate receives and uses Protected Health Information (“PHI”) and/or Electronic Protected Health Information (“EPHI”) in the course of providing certain services (“Services”) to Customer.
3. Customer is a “Covered Entity” under the HIPAA Privacy Rule. The Agreement is therefore subject to the business associate requirements in the HIPAA Privacy Rule.
4. The HIPAA Privacy and Security Rules require all business associates of Customer to agree, in writing, to certain mandatory terms and conditions relating to the business associates’ use and disclosure of EPHI and PHI received from Customer.
5. The HITECH Act requires incorporation of additional privacy and security provisions into this Addendum.
NOW THEREFORE, in consideration of the mutual covenants and promises contained herein, the Parties, each intending to be legally bound hereby, agree as follows:
I. DEFINITIONS
A. Accounting. Accounting shall have the same meaning as set forth in 45 C.F.R. §164.528 and in §13405 of HITECH Act.
B. Breach. Breach means the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information, except that the following do not constitute breaches:
1. The unintentional acquisition, access or use of protected health information by a workforce member or person acting under the authority of a covered entity or a business associate, if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not otherwise permitted;
2. The inadvertent disclosure of protected health information from one person authorized to access protected health information at a covered entity or business associate to another person authorized such access at the same covered entity or business associate, or organized health care arrangement in which the covered entity participates; and the information received is not further used or disclosed in a manner not otherwise permitted;
3. The disclosure of protected health information where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.
C. Business Associate. Business Associate shall have the same meaning as set forth in 45 C.F.R. §160.103.
D. Covered Entity. Covered Entity shall have the same meaning as set forth in 45 C.F.R. §160.103.
E. Disclose/Disclosure. The release, transfer or provision of access to PHI or EPHI, whether oral or recorded in any form or medium.
F. Electronic Health Record. Electronic Health Record shall have the same meaning as set forth in 42 U.S.C. § 17921 (an electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff).
G. Electronic Protected Health Information. Any protected health information that is transmitted or maintained by electronic media, as that term is defined by the HIPAA Security Rule (including, but not limited to electronic storage media such as computer hard drives, storage or memory disks/cards, and electronic transmission media such as the internet, extranet, leased lines, dial-up lines, and the physical movement or transport of electronic storage media).
H. Protected Health Information. Any information, whether transmitted by or maintained in electronic media or transmitted or maintained in any other form or medium, that relates to the past, present or future physical or mental health or condition of any individual, the provision of health care to an individual, or the past, present or future payment for the provision of health care to an individual.
I. Security. Security shall have the same meaning as set forth in 45 C.F.R. § 164.304.
J. Unsecured Protected Health Information. Unsecured Protected Health Information is Protected Health Information that is not secured by a methodology specified by the Secretary of Health and Human Services (“Secretary”). The Secretary has specified that encryption and the destruction of the media on which the Protected Health Information is stored or recorded are the only methods that render Protected Health Information unusable, unreadable, or indecipherable.
K. Use. The sharing, employment, application, utilization, examination, or analysis, in any form or medium, of Protected Health Information by Business Associate.
II. GENERAL OBLIGATIONS
Business Associate shall comply fully with all obligations imposed on Business Associates under the HIPAA Privacy and Security Rules and the HITECH Act regarding the Business Associate’s use, disclosure or creation of PHI and EPHI received from, or created or received by Business Associate on behalf of Customer.
III. SCOPE OF PERMITTED USES AND DISCLOSURES
A. Business Associate shall use and/or disclose PHI and EPHI only as permitted or required by this Addendum or as otherwise required by law. Business Associate represents and warrants that PHI and EPHI will be used and disclosed solely as necessary to perform the Services established by the Agreement.
B. Business Associate may disclose PHI and EPHI to, and permit the use of PHI and EPHI by, its employees, contractors, agents, or other representatives only if and to the extent directly related to, and necessary for, the performance of the Services for or on behalf of Customer. Disclosures of PHI and EPHI to, and use of PHI and EPHI by subcontractors, agents and other representatives is also subject to Section VII below.
C. Business Associate represents and warrants that it shall request from Customer no more than the minimum PHI and EPHI necessary to perform the Services. Business Associate further represents and warrants that if it uses, discloses, releases, reveals, shows, sells, rents, leases, loans, publishes or otherwise grants access to PHI and EPHI, it will do so only in the minimum amount and to the minimum number of individuals necessary to achieve the purpose of the Services being rendered on behalf of Customer.
D. Reserved.
E. Except as otherwise limited by this Addendum, Customer authorizes Business Associate to use the PHI and EPHI in its possession for the proper management and administration of Business Associate’s business and to carry out its legal responsibilities. Business Associate may disclose PHI and EPHI for its proper management and administration or to carry out its legal responsibilities, provided that (i) such disclosures are required by law; or (ii) Business Associate obtains, in writing, prior to making any disclosure to a third party (a) reasonable assurances from such third party that PHI or EPHI will be held in confidence as provided under this Addendum and used or further disclosed only as required by law or for the purpose for which it was disclosed to such third party; and (b) an agreement from such third party to notify Business Associate immediately of any breaches of the confidentiality of PHI or EPHI, to the extent it has knowledge of such breach.
F. In the event that Business Associate is providing services to any Covered Entity that is an affiliate, subsidiary, or related corporate entity of Customer, Business Associate shall abide by the terms of this Addendum with respect to PHI and EPHI received or created by Business Associate in connection with services provided to such Covered Entities.
IV. SAFEGUARDS FOR THE PROTECTION OF PHI and EPHI
Business Associate represents and warrants that it shall implement and maintain administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the PHI and EPHI that Business Associate creates, receives, maintains, or transmits on behalf of Customer, and to ensure that PHI and EPHI are not used or disclosed by Business Associate in violation of this Addendum. To the extent that Business Associate is to carry out one or more of Customer’s obligation(s) under Subpart E of 45 C.F.R. Part 164, Business Associate shall comply with the requirements of Subpart E that apply to Customer in the performance of such obligation(s).
V. REPORTING AND MITIGATING THE EFFECT OF UNAUTHORIZED
DISCLOSURES
A. Business Associate shall report any use and/or disclosure of PHI and EPHI that violates this Addendum in writing to Customer’s Privacy Officer, as soon as practicable and in all events no later than ten (10) days after Business Associate obtains knowledge of said violation.
B. Business Associate shall establish procedures for mitigating, to the greatest extent possible, any deleterious effects arising from any improper use and/or disclosure of PHI and EPHI, and shall implement all such procedures and all other reasonable mitigation steps reasonably requested by Customer.
VI. USE BY AND DISCLOSURE TO SUBCONTRACTORS, AGENTS AND
REPRESENTATIVES
Prior to disclosing any PHI and EPHI to any subcontractor, agent, or other representative that is authorized to create, receive, maintain, or transmit PHI and EPHI on behalf of Business Associate, Business Associate shall require such person to agree, in writing, to adhere to the same restrictions and conditions on the use and/or disclosure of PHI and EPHI that apply to Business Associate under this Addendum.
VII. INDIVIDUAL RIGHTS
A. Within fifteen (15) days of receiving a written request from Customer, Business Associate shall provide to Customer all applicable information necessary to comply with the requirements of 45 CFR § 164.528 regarding an individual’s right to an accounting of disclosures of PHI and EPHI.
B. Business Associate shall make available PHI and EPHI in a designated record set to Customer or the individual to whom such PHI and EPHI relates, at reasonable times and in a manner reasonably directed by Customer, in order to meet the individual access requirements under 45 CFR § 164.524.
C. Business Associate shall make any amendments to PHI and EPHI that Customer directs in order to meet the amendment requirements under 45 CFR § 164.526.
VIII. AUDIT, INSPECTION AND ENFORCEMENT
A. From time to time upon reasonable notice, Customer may inspect the internal practices, facilities, systems, books, records, and policies and procedures of Business Associate to monitor compliance with this Addendum. Business Associate shall promptly remedy any violation of this Addendum found by Customer and shall certify the same to Customer in writing. The fact that Customer has the right to inspect Business Associate’s internal practices, facilities, systems, books, records, and policies and procedures, whether or not it exercises such right, shall not relieve Business Associate of its responsibility to comply fully with this Addendum. In addition, Customer’s failure to detect any unsatisfactory practice does not constitute acceptance of such practice or a waiver of Customer’s enforcement rights.
B. Business Associate agrees to make its internal practices, books, records, and policies and procedures relating to the use and disclosure of PHI and EPHI available to the Federal Department of Health and Human Services (“HHS”), the Office of Civil Rights (“OCR”), or its agents for the purposes of enforcing the provisions of this Addendum and the HIPAA Privacy Rule. Business Associate further agrees to cooperate with HHS, OCR, or any of its agents during any investigation and/or compliance review for the purpose of determining Customer and/or Business Associate’s compliance with the HIPAA Privacy and/or Security Rules and this Addendum. Business Associate shall notify Customer immediately of any requests made by HHS, OCR or its agents pursuant to this provision, to the extent permitted by law.
C. Upon request, Business Associate shall make available to Customer for inspection any of Customer’s PHI and EPHI that Business Associate, or any of its agents or subcontractors have in their possession.
IX. TERM AND TERMINATION
A. Term. This Addendum shall become effective on the date referenced above, and shall continue in effect while the Agreement remains in force and thereafter with respect to those obligations intended to survive the termination of this Addendum. The Addendum shall terminate in accordance with the termination provisions of the Agreement and this Section IX.
B. Termination by Either Party. Either party may immediately terminate the Agreement if such Party makes the determination that the other Party has breached a material term of this Addendum. Alternatively, in the non-breaching Party’s sole discretion, the non-breaching Party shall provide the breaching Party with a written notice of the existence of a material breach and afford the breaching Party thirty (30) days to cure the material breach. In the event the breaching Party fails to cure the material breach within such time period, the non-breaching Party may immediately terminate the Agreement. Customer also may report any material breach to the Secretary of HHS or OCR.
C. Effect of Termination. Upon termination of the Agreement, Business Associate shall recover any PHI and EPHI in the possession of its subcontractors, agents or representatives or direct them to destroy same. Business Associate shall return to Customer or destroy all such PHI and EPHI, plus all other PHI and EPHI in its possession, and shall retain no copies. If Business Associate believes that it is not feasible to return or destroy the PHI and EPHI as described above, Business Associate shall notify Customer in writing. The notification shall include: (1) a statement that Business Associate has determined that it is not feasible to return or destroy the PHI and EPHI in its possession, and (2) the specific reasons for such determination. In the event such notification is provided, Business Associate shall ensure that any and all protections, limitations and restrictions contained in this Addendum will be extended to any PHI and EPHI retained after the termination of the Agreement, and that any further uses and/or disclosures shall be limited to the purposes that make the return or destruction of the PHI and EPHI infeasible. In any event, termination of this Agreement shall not relieve Business Associate of any of its duties concerning previously received PHI or EPHI, as mandated by law.
X. COMPLIANCE WITH THE HITECH ACT
A. Minimum Necessary Information. Business Associate agrees to use, disclose, and request only the minimum necessary amount of PHI from the Customer in order to accomplish its duties under the Agreement.
B. Administrative Safeguards. Business Associate, where applicable, shall comply with 45 C.F.R. §164.308, as periodically amended, which mandates, among other things, implementation of appropriate administrative safeguards of PHI held by the Business Associate relative to Customer’s patients. Business Associate shall adopt all relevant administrative standards, which include, but are not limited to, security management process, assigned security responsibility, workforce security, information access management, security awareness and training, security incident procedures, contingency plan, evaluation, business associate contract and other arrangements.
C. Physical Safeguards. Business Associate, where applicable, shall comply with 45 C.F.R. §164.310, as periodically amended, which mandates, among other things, implementation of appropriate physical safeguards of PHI. Business Associate shall adopt all relevant physical standards, which include, but are not limited to, access control, workstation use, workstation security, and device and media controls.
D. Technical Safeguards. Business Associate, where applicable, shall comply with 45 C.F.R. §164.312, as periodically amended, which mandates, among other things, implementation of appropriate technical safeguards of PHI. Business Associate shall adopt all relevant technical standards, which include, but are not limited to, access control, audit control, integrity, person or entity authentication, and transmission security.
E. Policies and Procedures and Documentation Requirements. Business Associate shall comply with 45 C.F.R. §164.316, as periodically amended, which mandates, among other things, implementation of appropriate policies and procedures and documentation requirements of PHI. Business Associate shall adopt all relevant policies and procedures and documentation standards, which include, but are not limited to, policies and procedures, and documentation.
F. Privacy Requirements. Business Associate shall comply with the privacy requirements of the HITECH Act, which are hereby incorporated into and made part of this Agreement. By way of example and not limitation, Business Associate shall limit any necessary disclosures to the minimum necessary; in the event that Business Associate maintains PHI in one or more designated record sets electronically, Business Associate shall disclose PHI as necessary to comply with an individual’s request for an electronic copy of PHI; and shall comply with the prohibitions on sale of PHI.
G. Security and Notification Requirements. Business Associate shall comply with the security requirements of the HITECH Act, which are hereby incorporated into and made part of this Agreement. Business Associate shall notify Customer of any security incident of which it becomes aware, including breaches of PHI. Notice shall be made by the Business Associate to the Customer’s HIPAA Officer within ten (10) days from the time the Business Associate is made aware of such breach by sending an email notice in a manner consistent with Section XII. F. NOTICES below. Such notice shall include the identification of each individual whose unsecured PHI has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, or disclosed during such breach. A breach shall be treated as discovered by the Business Associate as of the first day on which such breach is known to the Business Associate or, by exercising reasonable diligence, would have been known to the Business Associate. The Business Associate shall be deemed to have knowledge of a breach if the breach is known, to any person, other than the person committing the breach, who is an employee, officer, or other agent of the Business Associate.
H. Retaliation. Business Associate agrees that it shall refrain from engaging in any threatening, intimidating, and/or retaliatory action(s) against any person(s) making complaints to Business Associate, Customer or HHS to enforce rights granted by HIPAA, as amended by the HITECH Act and/or to report acts or omissions that may violate said rights.
XI. REMEDIES AND INDEMNIFICATION
A. Business Associate acknowledges that the disclosure or use of PHI or EPHI in violation of this Agreement shall give rise to irreparable injury to Customer which is inadequately compensable in monetary damages. Accordingly, Business Associate agrees that, in addition to any other legal or equitable remedies that may be available, Customer shall be entitled to equitable relief, including an injunction and specific performance, in the event of any breach or threatened breach of this Agreement by the Business Associate or its employees or agents.
B. In the event of litigation relating to this Agreement, if a court of competent jurisdiction determines that the Business Associate or any of its employees or agents has breached this Agreement, the Business Associate shall pay all reasonable attorney’s fees incurred by Customer as a result of such breach. In the event a judgment is secured by Customer, all attorney’s fees, as determined by the court and not by a jury, shall be included in any such judgment.
C. Limitation of Liability. Customer shall not be liable to Business Associate or any other person for any consequential, incidental, punitive or other damages arising from the PHI (including, but not limited to, errors or omissions in PHI) or from Customer’s performance or failure to perform under this Agreement.
D. Indemnification. Business Associate agrees to defend, indemnify, and hold harmless Hospital from and against all costs, expenses, liabilities, losses, damages, injunctions, suits, fines, penalties, claims, and demands of every kind and nature, including reasonable attorneys’ fees and court costs, by or on behalf of any person, party, or governmental authority whatsoever arising out of Business Associate’s failure to comply with this Agreement or any applicable laws, requirements, rules or regulations for any federal, state, county or city governmental authority.
In the event of a Breach by Business Associate, its agents, employees, or subcontractors, Business Associate will reimburse and indemnify Customer’s expenses and costs, including attorney’s fees, that are reasonably incurred due to the Breach, including costs associated with the notification of Individuals and the media, as well as credit monitoring and other mitigating actions if determined necessary by Customer.
XII. MISCELLANEOUS
A. Assignment. No assignment of this Addendum or the rights and obligations hereunder shall be valid without the specific written consent of both parties hereto.
B. Governing Law. This Addendum has been executed and delivered in, and shall be interpreted, construed, and enforced pursuant to and in accordance with the laws of the State of Pennsylvania.
C. Gender and Number. Whenever the context hereof requires, the gender of all words shall include the masculine, feminine, and neuter, and the number of all words shall include the singular and plural.
D. Article and Other Headings. The article and other headings contained in this Addendum are for reference purposes only and shall not affect in any way the meaning or interpretation of this Addendum.
E. Amendments and Addendum Execution. This Addendum and amendments thereto shall be in writing and executed in duplicate originals.
F. Notices. Any notices, demand, or communication required, permitted, or desired to be given hereunder shall be in writing and deemed effectively given when sent via email (and confirmation of the email is received within three (3) calendar days from the date of the notice), personally delivered, or mailed by prepaid certified mail, return receipt requested, addressed as follows:
To Business Associate:
XRHealth USA Inc.
200 Highland Ave. STE 202
Needham, MA 02494
Attn: Deepa Javeri
Email: compliance@xr.health
To Customer: to the address set forth in the Agreement.
or to such other address, and to the attention of such other person(s) or officer(s) as either party may designate by written notice to the other party.
G. Waiver of Breach. The waiver by either party of a breach or violation of any provision of this Addendum shall not operate as, or be construed to be, a waiver of any subsequent breach of the same or other provision hereof.
H. Additional Assurance. The provisions of this Addendum shall be self-operative and shall not require further agreement by the parties except as may be herein specifically provided to the contrary; provided, however, each party shall, at the request of the other, execute such additional instruments and take such additional acts as may be necessary to effectuate this Addendum.
I. Addendum Part of Agreement. This Addendum is incorporated by reference and made a part of the Agreement.
J. Inconsistencies. If any terms of this Addendum conflict with or are inconsistent with the terms of the Agreement, the terms of this Addendum shall prevail.