Business Associate Agreement
NOTE: Terms of the Business Associate Agreement have been communicated within the Terms and Conditions to which the Customer accepted and agreed to as part of PARiConnect registration and setup. There may be occasional references in the agreement below that pertain to that more comprehensive document.
Psychological Assessment Resources, Inc. (“PAR”), 16204 N Florida Avenue, Lutz, FL 33549, duly registered as a Florida corporation authorized to do business therein (hereinafter “Business Associate”), and PARiConnect Customer(s), (hereinafter “Customer(s)”), of various addresses throughout the world, expressly agree as follows:
Whereas, Business Associate has, is, and does provide an online, automated computer assessment platform, with Web-based access, hereafter called PARiConnect, for use by PAR Customer(s). Such PAR Customer(s) may enter client data onto PARiConnect, and such client data may contain individually identifiable protected health information (hereinafter “Client PHI”) as defined by § 164.501 of the Standards for Privacy of Individually Identifiable Health Information, 45 C.F.R. Parts 160 through 164, as modified by the Health Information Technology for Economic and Clinical Health Act of 2009, Public Law 111-005 (“the HITECH Act”), and other applicable laws and regulations.
Whereas, Customer(s), in order to meet its obligations to comply with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the privacy and security regulations promulgated under Title II, Subtitle F, §§ 261-264 of HIPAA, the administrative regulations issued by the Department of Health and Human Services (“DHHS”) as found in 45 C.F.R. Parts 160 through 164 (hereinafter HIPAA or DHHS regulations), and the HITECH Act, as such laws and regulations may be amended from time to time, seeks reasonable assurances from Business Associate that Business Associate will comply with the portions of those laws and regulations made applicable to business associates by the HITECH Act.
Whereas, Customer(s) and Business Associate will accomplish the need for Customer(s) to have access to online assessments available within PARiConnect as called for by this Agreement by electronically transmitting and receiving data in agreed formats and to assure that such transactions comply with relevant laws and regulations.
NOW, THEREFORE, the parties agree as follows:
- Breach shall have the meaning specified in § 17921 of the HITECH Act.
- Business Associate shall have the meaning specified in the Privacy Rule, the Security Rule, and § 27938 of the HITECH Act, particularly 45 C.F.R. § 160.103.
- Covered Entity shall have the meaning specified in 45 C.F.R. § 160.103.
- Designated Record Set shall have the meaning specified in 45 C.F.R. § 160.103.
- Electronic Health Record shall have the meaning specified in § 17921 of the HITECH Act.
- Privacy Rule shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. Parts 160 and 164, subparts A and E.
- Protected Health Information (“PHI”) shall have the meaning specified in 45 C.F.R. § 164.501.
- Required by law shall have the meaning specified in 45 C.F.R. § 164.501.
- Secretary shall mean the Secretary of the Department of Health and Human Services and those employees or agents designated to act on the Secretary’s behalf.
- Security or Security Measures means the administrative, physical, and technical safeguards and documentation requirements specified in the Security Rule.
- Security Rule shall mean the Standards for Security of Electronic Protected Health Information at 45 C.F.R. Parts 160 and 164, subparts A and E.
- Unsecured PHI shall have the meaning specified in § 17932 of the HITECH Act and any regulations issued thereunder by the Department of Health and Human Services (“DHHS”).
- Obligations of the Business Associate.
- If and to the extent that and so long as required by the HIPAA provisions of 42 U.S.C. §§ 1171 et seq. and regulations promulgated thereunder, and any additional security requirements contained in Subtitle D of Title IV of the HITECH Act that apply to Customer(s) but not otherwise, Business Associate does hereby assure Customer(s) that Business Associate will implement appropriate safeguards, including, but not limited to, the administrative, physical, and technical safeguards and documentation requirements of the Security Rule to protect the confidentiality, integrity, and availability of any electronic Client PHI that it may indirectly receive, maintain, or transmit on behalf of the Customer(s) and will appropriately safeguard all Customer(s) Client PHI regardless of form or format.
- Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Customer(s) Client PHI by Business Associate in violation of the requirements of this Agreement.
- Business Associate agrees to report to Customer(s) any use or disclosure of the Customer(s) Client PHI not provided for by this Agreement or any security incident of which it becomes aware involving Client PHI of the Customer(s).
- Business Associate shall ensure that any subcontractors or agents to whom Business Associate provides Client PHI received from Customer(s) agree to the same restrictions and conditions that apply to Business Associate with respect to such information.
- Business Associate shall make available Client PHI in accordance with applicable law.
- Business Associate shall provide to individuals who are the subject of Client PHI received from Customer(s) their rights as made applicable to business associates of covered entities.
- Business Associate shall maintain records pursuant to this agreement and to provide such records and other necessary information to the Customer(s) or to the Secretary of HHS as may be requested or required in writing and as permitted by law. Business Associate agrees that all records kept in connection with this Agreement are subject to review and audit by the Customer(s) upon reasonable notice and written request by the Customer(s).
- Upon termination of this Agreement in writing by Customer to Business Associate by either party for any reason, Business Associate shall destroy all Client PHI received from Customer(s) that Business Associate still maintains in any form and all copies thereof, shall retain no copies or files of such information, and shall remain obligated not to use, disclose, or provide such information to third parties. Additionally, after 36 months of inactivity on the Customer PARiConnect account, Business Associate will delete all Customer and Client PHI, and will make a presumptive determination that the Customer has ceased use of PARiConnect.
- Business Associate shall incorporate any amendments or corrections to Client PHI when notified by Customer pursuant to applicable law, in the event that Customer cannot access such Client PHI.
- Permitted Uses and Disclosures.
- In the event that Business Associate inadvertently obtains Client PHI, Business Associate may use or disclosure such Client PHI only if such use or disclosure is in compliance with each applicable requirement of 45 C.F.R. § 164.504(e) as follows:
- Except as otherwise limited in this Agreement, Business Associate may use or disclose Client PHI to perform functions, activities, or services for, or on behalf of, Customer(s), provided that such use or disclosure would not violate the Privacy and Security Rules if done by Customer(s), and only if such use is disclosed on PARiConnect to both Customer(s) and Customer(s) clients.
- Except as otherwise restricted by this Agreement, Business Associate may use Client PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate. If Business Associate uses such information for the purposes set forth above, it will do so only if the disclosure is required by law or if Business Associate obtains reasonable assurances from the person(s) to whom the information is disclosed that the information disclosed will be held confidential and will be used or further disclosed only as required by law or for the purpose for which Business Associate disclosed it to the person(s). Business Associate shall also ensure that the person(s) to whom Business Associate so discloses information notifies Customer(s) of any instances of breach of confidentiality that such person is aware of.
- Upon termination in writing of this Agreement for any reason, Business Associate shall return or destroy all Client PHI received from Customer(s) or created or received by Business Associate on behalf of Customer(s), including Client PHI that is in the possession of subcontractors or agents of Business Associate. Business Associate may retain no copies of the Client PHI. In the event that Business Associate determines that returning or destroying the Client PHI is not feasible, Business Associate shall provide Customer(s) notification that return or destruction of the Client PHI is not feasible. Upon mutual agreement of the parties that return or destruction is not feasible, Business Associate shall extend the protections of this Agreement and limit further uses and disclosures of such Client PHI to those purposes that make the return or destruction not feasible for so long as the Business Associate maintains the Client PHI. Additionally, after 36 months of inactivity on the Customer PARiConnect account, Business Associate will delete all Customer and Client PHI.
- Application of Civil and Criminal Penalties.
- If Business Associate violates any security provision specified above or §§ 1176 and 1177 of the Social Security Act, 42 U.S.C. §§ 1320d-5 and 1320d-6 shall apply to Business Associate with respect to such violation in the same manner that such sections apply to Customer(s) if it violates such security provisions.
- Business Associate shall be subject to audit of its security measures by the Office of the Inspector General (“OIG”) of DHHS.
- Information Breach Notification Requirements.
- Business Associate recognizes that Customer(s) has certain reporting and disclosure obligations to the Secretary of HHS and others, including the individual, in case of a security breach of unsecured Client PHI. In cases in which Business Associate accesses, maintains, retains, modifies, records, stores, destroys, uses, or discloses Client PHI, Business Associate without unreasonable delay and in no case later than 60 days following discovery of a breach of such information shall notify Customer(s) of any such breach. Such notice shall include the identification of any individual whose unsecured Client PHI has been or is reasonably believed to have been accessed, acquired, or disclosed during the breach.
- Business Associate shall be liable for the costs associated with such breach if caused by Business Associate’s negligent or willful acts or omissions or the negligent or willful acts or omissions of Business Associate’s agents, officers, employees, or subcontractors.
- Business Associate shall maintain comprehensive general liability insurance throughout the term of this Agreement in minimum limits of $1,000,000 Dollars per occurrence or per claim and $10,000,000 Dollars in the aggregate.
- In the event that Business Associate secures claims insurance coverage, it agrees to purchase an unlimited reporting endorsement upon the cancellation or termination of said coverage.
- Business Associate agrees to provide Customer(s) a certificate of insurance evidencing such coverage before the effective date of this Agreement and any renewals thereof if requested.
- If Business Associate proposes to voluntarily cancel or not renew any existing coverage, change the carrier thereof, change the terms thereof, or reduce the limits of such coverage, Business Associate shall give written notice thereof to Customer(s), specifying the nature and proposed date of such proposed cancellation, nonrenewal, change, or reduction. If such proposed cancellation, nonrenewal, change, or reduction is not acceptable to Customer(s), within 30 days after receipt of notice thereof from Business Associate, Customer(s) may notify Business Associate of the termination of this Agreement effective upon the date of such proposed cancellation, nonrenewal, change, or reduction.
- Business Associate agrees to indemnify and hold harmless Customer(s), its Board of Directors, officers, agents, employees, and personnel (hereinafter “Indemnified Party”) from and against any and all claims, demands, suits, losses, causes of action, or liability that the Indemnified Party may sustain as a result of the Business Associate’s breach of its duties or the indemnifying party’s errors or omissions within the terms of this Agreement or vicarious liability of the Customer(s) for any act or conduct of the Business Associate adjudged to constitute fraud, misrepresentation, or violation of any law, including violation of any statute or regulation applicable to the conduct of the Business Associate provided pursuant to this Agreement. This indemnification shall include reasonable expenses, including attorney’s fees incurred by defending such claims and damages incurred by reason of the indemnifying party’s failure to comply with applicable laws, ordinances, and regulations or for damages caused by the indemnifying party.
- Third-party Service Providers. The parties may transmit documents electronically to each party, either directly or through any third-party service provider with which either party may contract. Either party may modify its election to use, not use, or change a third-party service provider upon 30 days’ prior written notice to the other party.
- Costs of Third-party Service Providers. Each party shall be responsible for the costs of any third-party service provider with which it contracts unless otherwise set forth via written (emailed, faxed, or letter) communication between the parties.
- Liability for Acts of Third-party Service Providers. Each party shall be liable for the acts or omissions of its third-party service provider while transmitting, receiving, storing, or handling documents or performing related activities for, with, to, or from such party, provided that, if both parties use the same third-party service provider to effect the transmission and receipt of a document, the originating party shall be liable for the acts or omissions of such third-party service provider as to such Document.
- System Operations. Each party, at its own expense, shall provide and maintain the equipment, software, services, and testing necessary to effectively, reliably, and confidentially transmit and receive documents.
- Signatures. Each party shall adopt as its signature (“Signature”) an electronic identification consisting of symbol(s) or code(s) that are to be affixed to or contained in each Document transmitted by such party. Each party agrees that any Signature of such party affixed to or contained in any transmitted Document shall be sufficient to verify that such party originated such document. Neither party shall disclose to any unauthorized person the Signature of the other party. Such Signature may be represented by the combination of the email address and password of the Customer.
- Proper Receipt. Documents shall not be deemed to have been properly received, and no document shall give rise to any obligation, until accessible to the receiving party at such party’s email address as utilized for PARiConnect registration.
- Verification. Upon proper receipt of any document, the receiving party shall promptly and properly transmit a functional acknowledgment in return. A functional acknowledgment shall constitute conclusive evidence that the receiving party has properly received a document.
- Integrity. The parties will take reasonable measures to protect the integrity of all documents and data. Neither party will insert any virus, key locks, or other programs into the system, regardless of whether or not a dispute exists between the parties. The receiving party will return the information in usable form upon request or at the end of the contract.
- Business Associate may amend this Agreement from time to time to the extent required by the provisions of 42 U.S.C. §§ 1171 et seq., HIPAA, the HITECH Act, and regulations promulgated thereunder to ensure that this Agreement is consistent therewith.
- Term of Contract.
- The term of the Agreement shall be effective as of the effective date when such terms are electronically accepted by the Customer and shall terminate when all Client PHI provided by Customer(s) to Business Associate or created or received by Business Associate on behalf of Customer(s) is destroyed or, if it is not feasible to destroy such Client PHI, protections are extended to such Client PHI in accordance with the termination provisions above.
- Without limiting the rights and remedies of Customer(s) elsewhere set forth in this Agreement or available under applicable law, Customer(s) may terminate this Agreement without penalty or recourse to Customer(s) if Customer(s) determines that Business Associate has violated a material term of the provisions of this Agreement and has not cured the breach to the satisfaction of the Customer(s), in the Customer(s)’s sole discretion.
- This Agreement also contains a number of stipulations that are specific to the use of PARiConnect by the Customer, and such stipulations have been included in the Terms and Conditions, General Information, and/or additional disclosures contained in this document, to which the Customer(s) agrees. By accepting this Agreement, Customer also agrees to be bound by the additional terms.