This HIPAA Business Associate Agreement ("BAA") is effective as of the Effective Date and is incorporated into the Website Design, Marketing, and CRTX Agent + Platform Services Agreement (“Agreement”) by and between Executive Whisper, LLC d/b/a Microsite Health, a Florida LLC ("Business Associate") and each of Business Associate’s clients who have entered into said Agreement and provide Protected Health Information, as defined below, to Microsite Health, under said Agreement ("Covered Entity") and for purposes of compliance with the requirements of the Health Insurance Portability and Accountability Act of 1996, the American Recovery and Reinvestment Act of 2009 (Pub. L. 111-5), and their implementing regulations set forth at 45 CFR Parts 160 and 164, as amended (collectively the "HIPAA").
The following terms used in this BAA will have the same meaning as those terms under HIPAA: breach, data aggregation, designated record set, disclose and disclosure, health care operations, individual, minimum necessary, Notice of Privacy Practices, protected health information (referred to herein as “PHI”), required by law, secretary, security incident, subcontractor, unsecured PHI, and use.
Business Associate agrees to:
1.1 Use or disclose PHI received from or on behalf of Covered Entity for the following purposes only:
(a) To perform those services specified in the Agreement, including but not limited to digital communications, patient engagement, scheduling, and digital advertising optimization, provided such use or disclosure is done in a manner that would not violate Subpart E of 45 CFR 164 if done by Covered Entity;
(b) To make a disclosure required by law; and
(c) For the proper management and administration of Business Associate or to carry out Business Associate’s legal responsibilities.
1.2 Make uses, disclosures, and requests for PHI consistent with Covered Entity’s minimum necessary policies and procedures.
1.3 Use appropriate safeguards, including the requirements of Subpart C of 45 CFR Part 164 with respect to electronic PHI, to prevent use or disclosure of PHI other than as provided for herein. This includes ensuring secure transmission and handling of PHI in automated communications and escalations where PHI is transferred to human staff.
1.4 Report to Covered Entity any use or disclosure of PHI not provided for herein of which Business Associate becomes aware, including breaches of unsecured PHI as required at 45 CFR 164.410, and any security incident of which Business Associate becomes aware.
1.5 In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), ensure that any subcontractors, third-party platforms, or digital marketing providers that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such information, including adherence to HIPAA standards.
1.6 Make available PHI in a designated record set to Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.524.
1.7 Make any amendment(s) to PHI in a designated record set as directed or agreed to by Covered Entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.526.
1.8 Maintain and make available the information required to provide an accounting of disclosures to Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.528.
1.9 To the extent Business Associate is to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to Covered Entity in the performance of such obligation(s), including secure telehealth communications and scheduling services.
1.10 Make its internal practices, books, and records available to the Secretary for purposes of determining compliance with HIPAA.
2.1 Covered Entity will notify Business Associate of any limitation(s) in Covered Entity’s Notice of Privacy Practices under 45 CFR 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI.
2.2 Covered Entity will notify Business Associate of any changes in, or revocation of, the permission by an individual to use or disclose their PHI, to the extent that such changes may affect Business Associate’s use or disclosure of PHI.
2.3 Covered Entity will notify Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 CFR 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.
3.1 Covered Entity will not request Business Associate to use or disclose PHI in any manner that would not be permissible under Subpart E of 45 CFR Part 164 if done by Covered Entity.
4.1 The term of this BAA will be the same as the term of the Agreement, except Covered Entity may terminate this BAA for cause as authorized in Section 4.2 below. This BAA will automatically terminate upon the termination of the Agreement.
4.2 Business Associate authorizes termination of this BAA by Covered Entity if Covered Entity determines Business Associate has violated a material term of the BAA and Business Associate has not cured the breach or ended the violation within the time specified by Covered Entity.
4.3 Upon termination of this BAA for any reason, Business Associate, with respect to PHI received from Covered Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity, will:
(a) Retain only that PHI which is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities, including performance analysis and reporting as authorized by the Covered Entity;
(b) Return to Covered Entity (or, if agreed to by Covered Entity at the time, destroy) the remaining PHI that the Business Associate still maintains in any form;
(c) Continue to use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to electronic PHI to prevent use or disclosure of the PHI, other than as provided for in this Section, for as long as Business Associate retains the PHI;
(d) Not use or disclose the PHI retained by Business Associate other than for the purposes for which such PHI was retained and subject to the same conditions set out above which applied prior to termination; and
(e) Return to Covered Entity (or, if agreed to by Covered Entity at the time, destroy) the PHI retained by Business Associate when it is no longer needed by Business Associate for its proper management and administration or to carry out its legal responsibilities, with specific protocols for secure destruction of PHI retained within the CRTX system.
The obligations of Business Associate under this Section 4.3 will survive the termination of this BAA.
5.1 Data Aggregation and Analysis: Business Associate may perform data aggregation and analysis on PHI as permitted under HIPAA, for the purpose of improving patient management insights and optimizing digital advertising, provided that any aggregated data for performance analysis is anonymized or de-identified unless otherwise authorized by the Covered Entity.
6.1 A reference in this BAA to a section of HIPAA means the section as in effect or as amended. The parties agree to take such action as is necessary to amend this BAA from time to time as is necessary for compliance with the requirements of HIPAA and any other applicable federal or state law. Any ambiguity in this BAA will be interpreted to permit compliance with HIPAA.
6.2 Nothing in this BAA will be construed to create any rights or remedies in any third parties or any agency relationship between the parties.
6.3 The terms and conditions of this BAA override and control any conflicting term or condition of the Agreement. All non-conflicting terms and conditions of the Agreement remain in full force and effect.