Business Associate Agreement for Verbit Freelancers
This Business Associate Agreement (“BAA”) is entered into by you (“Business Associate”) and Verbit Software Ltd. and/or its affiliated entities (collectively, “Verbit,” and together with Business Associate, the “Parties”), and governs your processing of PHI (defined below) on behalf of Verbit in connection with the services agreement (“Agreement”) between the Parties. The terms of this BAA supplement the Agreement and shall be deemed incorporated therein in their entirety. Capitalized terms used and not specifically defined herein shall have the same meaning as in the Agreement.
- DEFINITIONS AND GENERAL TERMS.
- Pursuant to the Health Insurance Portability and Accountability Act of 1996, the Health Information Technology for Economic and Clinical Health Act of 2009, and the American Recovery and Reinvestment Act of 2009 (as amended, and including its promulgating regulations, collectively referred to herein as “HIPAA”), this BAA addresses the Parties’ obligations under HIPAA with respect to “business associates,” as defined under the privacy, security, breach notification, and enforcement rules at 45 C.F.R. Part 160 and Part 164 (“HIPAA Rules”). A reference in this BAA to a section in the HIPAA Rules means the section as in effect or as amended.
- This BAA is intended to ensure that (i) Business Associate will establish and implement appropriate privacy, security, and data breach related safeguards for the Protected Health Information (as defined under the HIPAA Rules, “PHI”) that Business Associate may receive, create, maintain, use, or disclose in connection with the functions, activities, and services that Business Associate performs for or on behalf of Verbit.
- Unless the context clearly indicates otherwise, the following terms in this BAA shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, disclosure, Electronic Media, Electronic Protected Health Information (ePHI), Health Care Operations, individual, Minimum Necessary, Notice of Privacy Practices, Required By Law, Secretary, Security Incident, Subcontractor, Unsecured PHI, and Use.
- Unless the context clearly indicates otherwise, the capitalized terms in this BAA shall have the same meaning as those terms in the Agreement.
- A reference in this BAA to the Privacy Rule refers to the portions of 45 C.F.R. Part 160 and Subparts A and E of Part 164 that apply to a business associate (the “Privacy Rule”).
- A reference in this BAA to the Security Rule refers to the portions of 45 C.F.R. Part 160 and Subparts A and C of Part 164 that apply to a business associate (the “Security Rule”).
- GENERAL OBLIGATIONS OF BUSINESS ASSOCIATE.
- Business Associate agrees to receive, create, use, and disclose PHI only in a manner that (i) is consistent with this BAA and the HIPAA Rules and only in connection with providing services to Verbit, and (ii) would not violate the HIPAA Rules, including 45 C.F.R. 164.504(e), if the use or disclosure would be done by Verbit. Notwithstanding the foregoing,
- Business Associate may use or disclose PHI as Required By Law.
- Business Associate agrees to make only the minimum necessary uses, disclosures, and requests for PHI where required to do so by the HIPAA Rules.
Business Associate agrees to use appropriate safeguards designed to comply with the Security Rule with respect to ePHI and to prevent use or disclosure of PHI other than as provided for by this BAA. - Business Associate agrees to mitigate, to the extent practicable and in any manner Required By Law, any harmful effect that is known to Business Associate as a result of a use or disclosure of PHI by Business Associate in violation of this BAA’s requirements.
- Business Associate agrees to report to Verbit any actual or attempted Breach of Unsecured PHI of which it becomes aware without unreasonable delay, where a report is required by as required at 45 C.F.R. 164.410. Business Associate’s notification of an actual or attempted Breach of Unsecured PHI under this Section shall comply in all material respects with the HIPAA Rules.
- Business Associate agrees, in accordance with 45 C.F.R. 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, to require that any Subcontractors that create, receive, maintain, or transmit PHI on behalf of the Business Associate in connection with Business Associate’s provision of services to Verbit agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information.
- If Required By Law, Business Associate agrees to make available PHI in a Designated Record Set to, at Verbit’s sole option, either Verbit or the individual or individual’s designee, as necessary to satisfy Verbit’s obligations under 45 C.F.R. 164.524. Business Associate agrees to make any amendments to PHI in a Designated Record Set as directed or agreed to by Verbit pursuant to 45 C.F.R. 164.526, or to take other measures as necessary to satisfy Verbit’s obligations under 45 C.F.R. 164.526, at Verbit’s cost and expense. Nothing herein shall be construed to impose a duty on Business Associate to retain PHI.
- Business Associate agrees to comply with an individual’s request to restrict the disclosure of their personal PHI where such request has been communicated to Business Associate in a manner consistent with 45 C.F.R. 164.522, except where such use, disclosure, or request is required or permitted under applicable law.
- Business Associate agrees to maintain and make available the information required to provide an accounting of disclosures to, at Verbit’s sole option, either Verbit or the individual or individual’s designee, as necessary to satisfy Verbit’s obligations under 45 C.F.R. 164.528.
- Business Associate agrees to make its internal practices, books, and records, including policies and procedures regarding PHI, relating to the use and disclosure of PHI and Breach of any Unsecured PHI received from Verbit, or created or received by the Business Associate on behalf of Verbit, available to Verbit (or the Secretary) for the purpose of Verbit or the Secretary determining compliance with the HIPAA Rules.
To the extent Business Associate is to carry out one or more of Verbit’s obligation(s) under Subpart E of 45 C.F.R. Part 164, Business Associate agrees to comply with the requirements of Subpart E that apply to Verbit in the performance of such obligation(s).
- OBLIGATIONS OF VERBIT.
- To the extent it creates any potential impact on Business Associate’s use or disclosure of PHI hereunder, Verbit shall: (i) provide Business Associate with the Notice of Privacy Practices that Verbit produces in accordance with the Privacy Rule, and any changes or limitations to such notice under 45 C.F.R. 164.520; (ii) notify Business Associate of any restriction to the use or disclosure of PHI that Verbit has agreed to or is required to abide by under 45 C.F.R. 164.522; and (iii) notify Business Associate of any changes in or revocation of permission by an individual to use or disclose PHI.
- Verbit shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Verbit.
- TERM AND TERMINATION.
- This BAA shall be in effect until the Agreement is terminated.
- Upon either Party’s knowledge of a material breach by the other Party, the non-breaching Party shall provide an opportunity for the breaching Party to cure the breach or end the violation. If the breaching Party does not cure the breach or end the violation within a reasonable timeframe, not to exceed thirty days from the notification of the breach, or if a material term of the BAA has been breached and a cure is not possible, the non-breaching Party may terminate this BAA and the Agreement upon written notice to the breaching Party.
- Upon termination of this BAA for any reason, the Parties agree that Business Associate shall return to Verbit or, if expressly agreed to in writing by Verbit, destroy all PHI received from or on behalf of Verbit, or created, maintained, or received by Business Associate on behalf of Verbit, which Business Associate still maintains in any form. Business Associate shall retain no copies of any PHI.
- MISCELLANEOUS
- As between Verbit and Business Associate, all PHI subject to this BAA shall remain the sole property of Verbit.
- The Parties agree to take such action as is necessary to amend this BAA to comply with the requirements of the Privacy Rule, the Security Rule, HIPAA, ARRA, the HITECH Act, the HIPAA Rules, and any other applicable law.
- This BAA constitutes the entire agreement between the Parties related to the subject matter of this BAA, except to the extent that the Agreement imposes more stringent requirements related to the use and protection of PHI upon Business Associate. This BAA supersedes all prior negotiations, discussions, representations, or proposals, whether oral or written. This BAA may not be modified unless done so in writing and signed by a duly authorized representative of both Parties. If any provision of this BAA, or part thereof, is found to be invalid, the remaining provisions shall remain in effect.
- This BAA will be binding on the permitted successors and permitted assignees of Verbit and the Business Associate. However, this BAA may not be assigned, in whole or in part, by Verbit without the written consent of the Business Associate. Any attempted assignment in violation of this provision shall be null and void.
- Except to the extent preempted by federal law, this BAA shall be governed by and construed in accordance with the same internal laws as that of the Agreement.