THIS BUSINESS ASSOCIATE AGREEMENT (“Agreement”) is made and entered into effective the 1st day of service rendering, by and between The Natural Health Company, a Michigan limited liability company located at 1485 Benvenue Street, Sylvan Lake, Michigan 48320 (“BUSINESS ASSOCIATE”), and each of it's active clients ("CLIENT").
RECITALS:
WHEREAS, CLIENT provides administrative services to heath clinics, which are healthcare providers (the “Covered Entities”), and maintains certain confidential protected health information and records concerning healthcare patients;
WHEREAS, CLIENT and BUSINESS ASSOCIATE plan on entering into an agreement (“the Contract”) in which BUSINESS ASSOCIATE has agreed to provide marketing services to CLIENT (the “Services”);
WHEREAS, CLIENT and BUSINESS ASSOCIATE have agreed to conduct all of their business in compliance with all applicable federal, state, and local statutes, regulations, rules, and policies, including, but not limited to, the Health Insurance Portability and Accountability Act of 1996 ("HIPAA");
WHEREAS, in the course of the performance of the Services, BUSINESS ASSOCIATE, and its directors, officers, employees, representatives, successors, assigns, advisors, attorneys, and subcontractors (collectively, the “Agents”), may have access to individually identifiable health information, including demographic data, that relates to a person seeking healthcare services (the “Protected Health Information” or “PHI”);
WHEREAS, BUSINESS ASSOCIATE is a “business associate” of CLIENT as that term is defined in 45 CFR 160.103; and
WHEREAS, CLIENT is willing to provide BUSINESS ASSOCIATE and its Agents with access to the PHI or access to the area in which PHI is stored so that BUSINESS ASSOCIATE can perform the Services, provided BUSINESS ASSOCIATE executes this Agreement as required by the HIPAA regulations.
In consideration for granting BUSINESS ASSOCIATE access to the PHI and for other good and valuable consideration, the receipt and adequacy of which are hereby acknowledged, BUSINESS ASSOCIATE, on behalf of itself and its Agents, hereby agrees as follows:
RECITALS. The above Recitals are hereby incorporated into this Agreement.
BUSINESS ASSOCIATE PERMITTED USES AND DISCLOSURES. BUSINESS ASSOCIATE:
may use or disclose PHI only as provided in this Agreement or as required by law;
may use or disclose PHI only as minimally necessary; and
may not use or disclose PHI in a manner that would violate Subpart E of 45 CFR Part 164 if done by CLIENT or a Covered Entity.
BUSINESS ASSOCIATE DUTIES. BUSINESS ASSOCIATE shall:
keep the PHI strictly confidential and not use or disclose the PHI for any purpose other than as specifically provided in this Agreement or as required by law;
in accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that its Agents and any other persons or entities that create, receive, maintain, or transmit PHI on behalf of BUSINESS ASSOCIATE, agree in writing to the same restrictions, conditions, and requirements that apply to BUSINESS ASSOCIATE with respect to PHI;
with respect to Agents and such other persons and entities, use and maintain appropriate processes to monitor their compliance with HIPAA and immediately correct any noncompliance with HIPAA and/or their written Business Associate Agreement(s);
for use or disclosure specifically provided in this Agreement, disclose any PHI only as minimally necessary;
use and maintain appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic PHI, to prevent the use or disclosure of PHI other than as specifically provided in this Agreement;
report to CLIENT any use or disclosure of PHI not provided for by this Agreement, including breaches of unsecured PHI as required by 45 CFR 164.410 and any security incident of which it becomes aware, without unreasonable delay, but, in any event within five (5) days of the discovery of such unauthorized use or disclosure;
immediately notify CLIENT of any request by an individual for access to his or her PHI and, in response to any such request received by BUSINESS ASSOCIATE or CLIENT, make available to CLIENT, or directly to the individual or his or her designee, any PHI for inspection and copying or in an electronic format, if maintained and requested, in accordance with 45 CFR 164.524 within fifteen (15) days;
immediately notify CLIENT of any request by an individual for amendment of his or her PHI, and, in response to any such request received by BUSINESS ASSOCIATE or CLIENT, make available to CLIENT any PHI for any required amendment and incorporate any amendment to PHI in accordance with 45 CFR 164.526 within thirty (30) days;
immediately notify CLIENTof any request by an individual for an accounting of disclosures and, in response to any such request received by BUSINESS ASSOCIATE or CLIENT, make available to CLIENT the information required to provide an accounting of disclosures in accordance with 45 CFR 164.528 within thirty (30) days;
to the extent BUSINESS ASSOCIATE agrees to carry out one or more of CLIENT’S obligations under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to CLIENT’s performance of such obligations; and
make BUSINESS ASSOCIATE's internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of Health and Human Services (“HHS”) and CLIENT for purposes of determining BUSINESS ASSOCIATE’s and its Agents’ compliance with HIPAA and/or their Business Associate Agreement(s).
This provision shall survive termination of this Agreement.
DE-IDENTIFICATION. BUSINESS ASSOCIATE may store, analyze, access, and use components of PHI that have been “de-identified” and that do not contain individually identifiable health information, provided that any such use is then consistent with applicable law and the terms of this Agreement.
INDEMNIFICATION. BUSINESS ASSOCIATE agrees to defend (at the option of CLIENT) indemnify, and hold harmless CLIENT and its members, managers, agents, shareholders, employees, officers, directors, successors, and assigns, against any and all claims, demands, causes of action, losses, damages, liabilities, judgments, costs and expenses (including reasonable attorneys' fees) asserted against or incurred by them as a result of any violation of, or failure to comply with, this Agreement, HIPAA, or any other statute, rule, or regulation. This provision shall survive termination of this Agreement.
LIMITATION OF LIABILITY / RELEASE. BUSINESS ASSOCIATE acknowledges and understands that CLIENT makes no representations or warranties, express or implied, regarding the content or completeness of the PHI provided to BUSINESS ASSOCIATE. BUSINESS ASSOCIATE agrees to release CLIENT and its members, managers, agents, shareholders, employees, officers, directors, successors, and assigns, from all claims, demands, causes of action, losses, damages, liabilities, judgments, costs or expenses (including reasonable attorneys' fees) asserted against or incurred by BUSINESS ASSOCIATE or its Agents by reason of the use or disclosure of the PHI. This provision shall survive termination of this Agreement.
INSURANCE. In conjunction with the limitation of liability set forth in Section 6 of this Agreement, BUSINESS ASSOCIATE agrees to procure and maintain, at its own expense, in full force and effect during this Agreement, commercial general liability insurance, written on an occurrence basis, with a combined single limit of not less than One Million Dollars ($1,000,000). BUSINESS ASSOCIATE shall provide a Certificate of Insurance evidencing its compliance with this provision to CLIENT upon request.
BREACH AND TERMINATION. This Agreement shall terminate upon conclusion of the Services or upon written notice of CLIENT or a Covered Entity. At termination of this Agreement, BUSINESS ASSOCIATE shall:
return or destroy, at the sole option of CLIENT, all PHI related to CLIENT that the BUSINESS ASSOCIATE still maintains in any form and not retain any copies of such PHI or, if such return or destruction is not feasible, extend the protection of this Agreement to the PHI and limit further uses and disclosures to those purposes that make the return or destruction of the PHI feasible; and
to the extent BUSINESS ASSOCIATE or its Agents still maintain any PHI, continue to comply with this Agreement.
Notwithstanding the above, BUSINESS ASSOCIATE may retain one copy of the data provided by CLIENT, provided BUSINESS ASSOCIATE has de-identified the data so that it does not qualify as PHI and thereafter maintains only one copy in its records.
In the event of a default or breach by BUSINESS ASSOCIATE as set forth above, CLIENT shall have available to it any legal or equitable right or remedy to which CLIENT is entitled, including, but not limited to, injunctive relief. CLIENT shall not be deemed to have waived any of its rights or remedies on account of its failure or delay in exercising any such right or remedy in a particular instance.
RECORD RETENTION. Until the expiration of six (6) years after the furnishing of the BUSINESS ASSOCIATE’s services contemplated by this Agreement, and if and to the extent, and so long as, required by law and not otherwise, BUSINESS ASSOCIATE shall make available upon request of CLIENT, HHS, or the United States Comptroller General and their representatives, this Agreement, and all other books, documents, and records as are necessary to certify the nature and extent of the costs incurred by CLIENT for BUSINESS ASSOCIATE’s services under this Agreement. If BUSINESS ASSOCIATE provides such services through a subcontract worth Ten Thousand Dollars ($10,000) or more over a twelve- month period, such subcontract shall also contain a clause permitting access by CLIENT, HHS, the United States Comptroller General and their representatives to books and records of such related organization. In all events, BUSINESS ASSOCIATE shall immediately notify CLIENT upon receipt by BUSINESS ASSOCIATE of any such request for this Agreement and any other books, documents, and records and shall provide CLIENT with copies of any such materials. This provision shall survive termination of this Agreement.
RE-NEGOTIATION. The parties agree to negotiate in good faith any modification to this Agreement that may be necessary or required to ensure consistency with amendments to and changes in applicable federal and state laws and regulations, including, but not limited to, regulations promulgated pursuant to HIPAA.
MISCELLANEOUS PROVISIONS. This Agreement shall not be assignable by either party without the other’s prior written consent. Notwithstanding the foregoing, this Agreement shall be binding upon and shall inure to the benefit of the parties, and any successor to the operations and business of the parties whether by operation of law or otherwise.
All notices given pursuant to this Agreement shall be in writing and shall be delivered by hand or sent by registered or certified mail, return receipt requested, postage pre-paid, addressed to the party for whom it is intended at its or his address as first set forth above. Any address for the giving of notice may be changed by giving notice to that effect to the other party. Each such notice shall be deemed to have been given on the date of its receipt by the party for whom it was intended, or the date it was refused.
If any provision of this Agreement is or becomes unenforceable, the remainder of this Agreement shall nevertheless remain binding to the fullest extent possible, taking into consideration the purposes and spirit of this Agreement.
This Agreement contains the entire understanding of the parties hereto with regard to the subject matter hereof, and supersede all other agreements and understandings, written and oral, relating to the subject matter hereof. This Agreement may not be amended or modified, nor may any of its provisions be waived, except by a writing executed by both of the parties hereto or, in the case of a waiver, by the party waiving compliance. The waiver of any one breach shall not be construed as a waiver of any rights or remedies with respect to any other breach or subsequent breach.
Any provision of this Agreement which by its terms is intended to survive the termination or expiration of this Agreement shall so survive.
This Agreement shall be governed by and construed in accordance with the laws of the State of Michigan applicable to agreements made and to be performed entirely within such State, without regard to principles of conflicts of law. Any action arising under this Agreement shall be venued in Oakland County.
This Agreement may be executed in one or more counterpart copies, each of which shall be deemed an original and together shall constitute one and the same Agreement.
Each party to this Agreement agrees to comply with all required and applicable components of any then applicable HIPAA Corporate Compliance plan promulgated by that party.
