SOC 2 Compliant
HIPAA Compliant
THIS BUSINESS ASSOCIATE AGREEMENT is made and entered into as of [date] (the “Effective Date”), by and between [Covered Entity] (together with its affiliates, collectively “Covered Entity”), and Friction Free Dental, Inc. ("FFD"), a Massachusetts corporation having its principal place of business at 25 Northern Avenue, Unit 1519, Boston, MA 02210 (“Business Associate”).
The Business Associate will support a system utilized by the Covered Entity by means of the Terms of Service between the Covered Entity and the Business Associate (the "Services") and may have access to protected health information of the Covered Entity, including without limitation electronic protected health information (collectively, “PHI”) and the use or disclosure of personal information (“PI”);
The Covered Entity and the Business Associate desire to comply with the requirements of the Health Insurance Portability and Accountability Act of 1996 as amended by the American Recovery and Investment Act of 2009 (“HIPAA”), and implementing regulations which are codified at 45 C.F.R. Part 160, 162 and 164, as such regulations may be amended from time to time, and the Health Information Technology for Economic and Clinical Health Act, as incorporated in the American Recovery and Reinvestment Act of 2009 and implementing regulations and guidance issued by the Secretary, all as may be amended from time to time (“HITECH”) (collectively referred to herein as the “HIPAA Standards”);
Capitalized terms not defined herein shall have the meaning set forth in the HIPAA Standards;
The HIPAA Standards require that the Covered Entity obtain satisfactory assurances that the Business Associate will appropriately safeguard the PHI used or disclosed by the Business Associate in the course of performing Services; and
In consideration of the foregoing and the mutual promises and covenants herein contained, the parties agree as follows:
Business Associate may Use and Disclose PHI (i) as necessary to provide the Services to Covered Entity in compliance with each applicable requirement of 45 C.F.R. § 164.504(e); (ii) as Required By Law; or (iii) as otherwise expressly authorized by this Agreement. Business Associate shall not use or disclose PHI for any other purpose or in any other manner. Notwithstanding the foregoing, Business Associate may use or disclose PHI for the specific uses and disclosures set forth below:
1.1. Business Associate may, if necessary, Use or Disclose PHI for the proper management and administration of Business Associate, or to carry out the legal responsibilities of Business Associate; provided that: (i) any such Use or Disclosure is Required By Law, or (ii) Business Associate obtains reasonable advance written assurances from the person or party to whom the PHI is disclosed that the PHI will be held confidentially and used or further disclosed only as Required By Law, or for the purpose for which it was disclosed to such person or party, and that such person or party immediately notifies Business Associate of any instances of which it becomes aware in which the confidentiality or integrity of the information has been improperly Used or Disclosed.
1.2. Business Associate may Use and Disclose PHI for Data Aggregation purposes only if such Data Aggregation services are to be provided by Business Associate for the Health Care Operations of Covered Entity pursuant to any agreements between the Parties evidencing their business relationship. For purposes of this Agreement, Data Aggregation services means the combining of PHI by Business Associate with the PHI received by Business Associate in its capacity as a business associate of another covered entity, to permit data analyses that relate to the health care operations of the Covered Entity.
1.3 Business Associate may Use and Disclose De-identified Health Information only if written approval from the Covered Entity is obtained in advance and Business Associate de-identifies the PHI in compliance with 45 C.F.R. § 164.514(a)-(c).
2.1 Covered Entity shall use good faith efforts to provide Business Associate with the Notice of Privacy Practices that Covered Entity produces in accordance with 45 C.F.R. § 164.520, as well as any changes to such Notice of Privacy Practices and the Business Associate shall comply with such Notice of Privacy Practices.
2.2. Covered Entity shall provide Business Associate with any changes in, or revocation of, permission by an Individual to use or disclose PHI, if and to the extent such changes affect Business Associate's permitted or required uses and disclosures to the extent that such changes may affect Business Associates use or disclosure of PHI.
2.3. Covered Entity shall notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by in accordance with 45 C.F.R. § 164.522, if and to the extent that such restriction may affect Business Associates use or disclosure of PHI.
2.4. Covered Entity shall not request Business Associate to Use or Disclose PHI in any manner that would not be permissible under Subpart E of 45 CFR Part 164 if done by Covered Entity.
3.1 Security Rule Compliance. Business Associate shall establish, implement and maintain appropriate administrative, physical and technical safeguards in accordance with the Security Rule that reasonably and appropriately protect the confidentiality, integrity, and availability of any PHI that it creates, receives, maintains, or transmits on behalf of Covered Entity and to prevent the use or disclosure of PHI in any manner other than as permitted by this Agreement.
3.2 Mitigation. Business Associate agrees to mitigate, to the maximum extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate or a Subcontractor of Business Associate in violation of the requirements of this Agreement.
3.3 Encryption of PHI. In the event that Business Associate transmits PHI on behalf of Covered Entity via electronic mail over the Internet or stores PHI in the cloud, Business Associate agrees to the extent deemed reasonable and appropriate by Business Associate that such PHI shall be secured by an encryption technology that renders PHI unusable, unreadable, or indecipherable to unauthorized individuals in accordance with the guidance of a standards developing organization that is accredited by the American National Standards Institute, unless otherwise required by the Secretary to meet an alternative standard.
3.4 Reporting Impermissible Uses and Disclosure of PHI; Security Incidents and Breach Reporting. Business Associate shall report to Covered Entity as soon as practicable and without unreasonable delay, but not more than forty eight (48) hours after Discovery of any incident that involves unauthorized acquisition, access, Use or Disclosure of PHI not permitted under this Agreement, even if Business Associate believes the incident will not rise to the level of a Breach, as defined below, including any Security Incident of which Business Associate becomes aware, including, but not limited to, unwanted disruption or denial of service to systems that contain PHI, unauthorized use of a system for the processing or storage of PHI, attempts (failed and successful) to gain unauthorized access to PHI or a system containing PHI, and/or changes to system hardware, firmware or software characteristics without the owner’s knowledge, instruction or consent, including malware; except that for purposes of this provision, the reporting requirement for Security Incidents shall not include inconsequential incidents that occur on a frequent basis such as port scans or “pings,” and unsuccessful log-on attempts, broadcast attacks on Business Associate’s firewall, denials of service or any combination thereof if such incidents are detected and neutralized by Business Associate’s anti-virus and other defensive software and not allowed past Business Associate’s firewall. Such incidents that result in unauthorized access, Use, destruction, modification or Disclosure of PHI shall be reported as Security Incidents. Business Associate shall, in the event of a Security Incident caused directly by Business Associate, make the initial oral report to Covered Entity’s Privacy Officer by telephone at 603-845-3642. Business Associate’s initial telephone report to Covered Entity shall be followed up with a written report for such Security Incident within ten (10) days thereafter that meets the requirements of the HIPAA Breach Notification Rule set forth at 45 C.F.R. Part 164 Subpart D, and shall: (i) identify each individual whose unsecured PHI has, or is reasonably believed to have been, involved, (ii) the nature of the non-permitted use or disclosure, (iii) the PHI used or disclosed, (iv) who made the non-permitted use or received the unauthorized disclosure, and (v) what corrective action Business Associate has taken or shall take to prevent future similar unauthorized use or disclosure. In the event Business Associate determines, after using reasonable diligence that the acquisition, access, Use, or Disclosure of PHI was unintentional or inadvertent and Business Associate can affirmatively demonstrate that there is a low probability that the security or privacy of the PHI has been compromised, Business Associate shall nonetheless provide documentation of such to Covered Entity.
a) For purposes of this Agreement and consistent with 45 C.F.R. § 164.402, a “Breach” shall mean the acquisition, access, or use of PHI in a manner not permitted under the HIPAA Standards (specifically, 45 C.F.R. Part 164, Subpart D) which compromises the security or privacy of the PHI. A Breach shall be treated as discovered by Business Associate as of the first day on which such Breach is known to the Business Associate. Any impermissible Use or Disclosure of PHI directly by Business Associate is presumed to be a Breach and shall be reported to Covered Entity
b) Business Associate shall cooperate with Covered Entity and provide all information reasonably requested by Covered Entity to enable Covered Entity to perform and document a risk assessment in accordance with the Breach Notification Rule to determine whether a Breach occurred and whether notification in a particular case is required, and to enable Covered Entity, if applicable, to provide notices to any Individuals, HHS or the media, and any persons under applicable State law. In the event such notification is required as a result of a Breach caused directly by Business Associate or its subcontractor(s) or agent(s), Business Associate shall reimburse the Covered Entity for its costs and expenses related to providing any such notification, including but not limited to the cost of obtaining credit monitoring services and identity theft insurance for a period not to exceed one year) to affected individuals whose PHI or PI has or may have been compromised as a result of such Breach caused directly by Business Associate.
c) Reporting a Security Incident or a Use or Disclosure of PHI not provided for in this Agreement shall not discharge Business Associate’s obligations under this Agreement to report a Breach unless such reporting fully and completely satisfies all of the Breach reporting requirements of this Agreement.
3.5 Use of Subcontractors and Agents. Business Associate shall ensure that any Subcontractors or agents that create, receive, maintain or transmit PHI on behalf of Business Associate in connection with the Services it provides to Covered Entity shall agree to the same restrictions, conditions and requirements that apply to Business Associate with respect to such information, as provided in this Agreement, in accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), by requiring Subcontractors and agents to enter into a written business associate agreement with Business Associate, incorporating such restrictions, conditions and requirements as are applicable to Business Associate. Business Associate understands and agrees that it will not assign, delegate, or subcontract any of its rights or obligations under this Agreement to individuals or entities residing outside of the United States.
3.6 Access by Individuals to PHI. Business Associate shall establish and maintain appropriate procedures to provide access to and copies of PHI maintained in a Designated Record Set, to Covered Entity or, when requested in writing by Covered Entity, to an Individual (or Individual’s designee, as applicable) to permit Covered Entity to meet the requirements of 45 C.F.R. § 164.524. Business Associate shall provide access to and copies of PHI in a reasonable time, not to exceed fifteen (15) days, unless Business Associate and Covered Entity reasonably agree otherwise in writing. In the event any individual requests access to PHI directly from Business Associate, Business Associate shall immediately forward such request to Covered Entity so that Covered Entity can respond directly to such Individual in accordance with 45 C.F.R. § 164.524. Any denials of access to the PHI requested by an Individual shall be the responsibility of Covered Entity.
3.7 Availability of Internal Practices, Books and Records. Business Associate agrees, subject to duties of confidentiality with Business Associate and upon prior written notice to Business Associate (not less than ten (10) business days), to make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created, transmitted or received by Business Associate on behalf of Covered Entity, available to the Secretary, in the time and manner designated by the Secretary, or to Covered Entity for purposes of determining Covered Entity’s and/or Business Associate’s compliance with HIPAA, HITECH, and the HIPAA Regulations. Upon receipt of a request from the Secretary, Business Associate shall promptly notify Covered Entity in writing unless such notification would be contrary to law.
3.8 Amendment of PHI. Business Associate agrees to make any amendment(s) to PHI in a Designated Record Set that Covered Entity determines is required to enable Covered Entity to comply with 45 C.F.R. § 164.526. Except for good cause shown in writing to Covered Entity, Business Associate shall act upon Covered Entity’s request for an amendment within ten (10) business days of receipt of Covered Entity’s request.
3.9 Accounting of Disclosures. Business Associate agrees to identify, track and document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. §164.528. Upon Covered Entity’s request, Business Associate shall provide to Covered Entity an accounting of all disclosures of PHI by Business Associate or its employees, agents, representatives or Subcontractors, in accordance with the requirements of 45 C.F.R. § 164.528 and such other federal or state rules governing accounting for disclosures that may be in effect from time to time. Business Associate shall respond to such request from Covered Entity in writing and not later than ten (10) business days after receiving such request, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528. Business Associate shall maintain a process to provide this accounting of disclosures for as long as Business Associate maintains PHI received from or on behalf of Covered Entity.
3.10 Requests for Restrictions on Confidential Communications. To the extent applicable, Business Associate shall comply with any agreements for confidential communications of which it is aware and to which Covered Entity agrees pursuant to 45 C.F.R. § 164.522(b) by communicating with Individuals using agreed upon alternative means or alternative locations.
3.11 Restrictions on Sale of PHI, Marketing and Fundraising Uses of PHI. Business Associate shall not: (i) directly or indirectly, receive remuneration in exchange for any PHI, in accordance with 45 C.F.R. § 164.502(a)(5)(ii); (ii) make or cause to be made any communication about a product or service that is prohibited under 45 C.F.R. §§ 164.501 and 164.508(a)(3); or (iii) make or cause to be made any written fundraising communication that is prohibited under 45 C.F.R. § 164.514(f).
3.12 Offshoring Prohibition. Neither Business Associate, nor its Subcontractors, shall create, receive, maintain, transmit, use or disclose to any Offshore (i.e., outside the United States) recipient without the Covered Entity’s prior written consent. Business Associate’s requests for permission to send PHI Offshore must be submitted in writing to Covered Entity’s privacy officer. The request must include details sufficient to identify the Offshore Company, the specific PHI to be transmitted or accessed by the Offshore Company, and the purpose for which the PHI will be used or accessed by the Offshore Company. Covered Entity reserves the right to request and, upon that request Business Associate must provide, additional documentation and evidence of Offshore Company’s compliance with the terms of this Agreement. Business Associate shall ensure that representatives of Covered Entity and of Medicare plans in which Covered Entity participates have the right to audit any Offshore Company receiving PHI; provided, however, that such audits will be limited to the use and disclosure of PHI by the Offshore Company and the administrative, physical, technical and organizational privacy and security safeguards, and policies, procedures and documentation addressing the privacy and security of PHI.
3.13. Compliance. To the extent that Business Associate is to carry out one or more of Covered Entity's obligation(s) under the Privacy Rule, Business Associate agrees to comply with the requirements of the Privacy Rule that apply to the Covered Entity in the performance of such obligation(s).
3.14. Penalties. Business Associate recognizes that violation of any HIPAA Standard by Business Associate may subject Business Associate to civil and criminal penalties, including those set forth in 42 U.S.C. § 1320d-5 and 1320d-6.
4.1 Term. The Term of this Agreement shall be effective as of the Effective Date, and shall terminate when all of the PHI and PI maintained by Business Associate on behalf of Covered Entity, is properly and completely destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy the PHI and PI, protections are extended to such PHI and PI in accordance with the termination provisions in this Section.
4.2 Termination for Cause. Upon Covered Entity's knowledge of a material breach of this Agreement by Business Associate, Covered Entity shall provide an opportunity for Business Associate to cure the breach or end the violation, and Covered Entity shall terminate the Agreement if Business Associate does not cure the breach or end the violation within the time specified by Covered Entity, or immediately terminate the Agreement if Business Associate has breached a material term of this Business Associate Agreement and cure is not possible, as determined by the Covered Entity in its reasonable discretion.
4.3 Effect of Termination.
4.3.1 Except as provided in subparagraph 4.3.2, upon termination of this Agreement, for any reason, Business Associate shall return or destroy all PHI and PI maintained by Business Associate on behalf of Covered Entity. This provision shall apply to PHI and PI that is in the possession of Subcontractors or agents of Business Associate. Business Associate shall retain no copies of the PHI or PI.
4.3.2. In the event that Business Associate determines that returning or destroying the PHI or PI is infeasible, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction infeasible. The Business Associate shall extend the protections of this Agreement to such PHI and PI as is minimally necessary for the Business Associate to continue its proper management and administration or to carry out its legal responsibilities, and limit further uses and disclosures of such PHI and PI to those purposes that make the return or destruction infeasible. Business Associate (i) shall not use or disclose such PHI and PI, (ii) shall maintain its security pursuant to this Business Associate Agreement and (iii) shall continue to use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to electronic PHI to prevent use of disclosure of the PHI, in each case for so long as Business Associate maintains such PHI and PI.
4.3.3 The Business Associate shall return to Covered Entity or destroy the PHI and PI retained by the Business Associate when it is no longer needed by the Business Associate for its proper management and administration or to carry out its legal responsibilities.
4.4. The parties hereto understand and agree that the terms of this Agreement are reasonable and necessary to protect the interests of the Covered Entity and the Business Associate. The parties further agree that the Covered Entity would suffer irreparable harm if the Business Associate breached this Agreement. Thus, in addition to any other rights or remedies, all of which shall be deemed cumulative, the Covered Entity shall be entitled to seek injunctive relief to enforce the terms of this Agreement.
Business Associate agrees to indemnify and hold harmless Covered Entity and its directors, officers, and employees, individually and collectively, against all third-party - liabilities, damages, claims penalties, fines and costs, including costs of investigation and reasonable attorneys’ and consultants’ fees and expenses (collectively, “Losses”) reasonably incurred by Covered Entity to the extent arising out of: (i) the gross negligent or fraudulent act or omission of Business Associate, its agents, representatives or Subcontractors in connection with performance of this Agreement; or (ii) a violation of HIPAA or the HIPAA Standards by Business Associate, its agents, representatives or Subcontractors in connection with performance of this Agreement. This provision shall survive termination or expiration of this Agreement for any reason.
6.1 Limitation of Liability. IN NO EVENT SHALL BUSINESS ASSOCIATE BE LIABLE TO COVERED ENTITY HEREUNDER FOR ANY LOSS OF PROFITS OR OTHER INCIDENTAL, INDIRECT, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES, EVEN IF BUSINESS ASSOCIATE HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IN NO EVENT SHALL BUSINESS ASSOCIATE'S LIABILITY TO COVERED ENTITY IN CONTRACT, TORT OR OTHERWISE ARISING OUT OF OR IN CONNECTION WITH THIS AGREEMENT EXCEED FIVE HUNDRED THOUSAND U.S. DOLLARS ($500,000).
6.2 Survival. The respective rights and obligations of Business Associate under Section 4.3 of this Agreement shall survive the termination of this Agreement and this Section 6 shall survive the termination of this Agreement.
6.3 Interpretation. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits the Parties to comply with the HIPAA Standards.
6.4 No Private Cause of Action. This Agreement is not intended to and does not create a private cause of action by any individual, other than the parties to this Agreement, as a result of any claim arising out of the breach of this Agreement, the HIPAA Standards, or other state or federal law or regulation relating to privacy or security.
6.5 Amendment. The parties agree to take such action as is necessary to amend this Agreement from time to time for Covered Entity and Business Associate to comply with the requirements of HIPAA, HITECH, and the HIPAA Standards, and other applicable federal and state laws governing the privacy and security of protected health information. This Agreement may not be amended except in a writing signed by both Parties.
6.6 Application of State Law. Where any applicable provision of State law relates to the privacy or security of health information and is not preempted by HIPAA, as determined by application of the HIPAA Standards, the parties shall comply with the applicable provisions of State law.
6.7 Severability. If any provision of this Agreement shall be declared invalid or illegal for any reason whatsoever, then notwithstanding such invalidity or illegality, the remaining terms and provisions of this Agreement shall remain in full force and effect.
6.8 Governing Law. This Agreement shall be interpreted, construed, and governed according to the laws of the Commonwealth of Massachusetts, without regard to its principles of conflicts of laws. The parties agree that venue shall lie in the Commonwealth of Massachusetts, without regard to its conflicts of law principles, regarding any and all disputes arising from this Agreement.
6.9 Notices. Any notice or other communication given pursuant to this Agreement must be in writing and (a) delivered personally, (b) delivered by national recognized overnight courier, or (c) sent by registered or certified mail, postage prepaid, to the address set forth below and shall be considered given upon delivery.
If to Covered Entity: Compliance Officer
[Covered Entity]
[Address]
If to Business Associate: Compliance Officer
Friction Free Dental, Inc.
25 Northern Avenue, Unit 1519
Boston, MA 02210
[SIGNATURE PAGE FOLLOWS]
IN WITNESS WHEREOF, the parties hereto have executed this Business Associate Agreement as of the Effective Date.
[Covered Entity]
By:
Name:
Title.
BUSINESS ASSOCIATE
By:
Name: Kevin Farrell.
Title: CEO
SOC 2 Compliant
HIPAA Compliant