Last Updated: October 31, 2017
This HIPAA Business Associate Agreement (“BAA”), is entered into by and between MH Sub I, LLC, (“Business Associate”) and you (“Healthcare Provider”) who entered into a Service Agreement with Business Associate, for the purpose of compliance with the Health Insurance Portability and Accountability Act and its implementing administrative simplification regulations (“45 CFR 160-164”) (“HIPAA”), Subtitle D of the Health Information Technology for Economic and Clinical Health Act (“HITECH”), and the Omnibus Rule of 2013 (“Omnibus Rule”). This BAA hereby amends and is incorporated into any underlying agreement between Healthcare Provider and Business Associate; to the extent that the provisions of this BAA conflict with those of an underlying agreement, the provisions of this BAA shall control. Capitalized terms used but not otherwise defined herein shall have the same meaning as those terms defined in HIPAA, HITECH and the Omnibus Rule.
If, in the provision of services to Healthcare Provider, Business Associate representatives may receive or have access to Protected Health Information (“PHI”) that is created and/or maintained by Healthcare Provider, Business Associate shall be bound by the following terms:
1. Permitted Uses and Disclosures. Business Associate may use and disclose PHI, if in the course of performing services for or on behalf of Healthcare Provider or as required or permitted by law, regulation, regulatory agency or by any accrediting body to whom Healthcare Provider or Business Associate may be required to disclose such PHI; Business Associate may also use PHI for the proper management and administration of Business Associate, or to carry out the legal responsibilities of Business Associate.
2. Business Associate Obligations. Business Associate shall:
a. ensure that its agents and subcontractors to whom it may provide PHI agree to the same terms and conditions as are applicable to Business Associate as set forth herein;
b. implement reasonable and appropriate safeguards to prevent use or disclosure of PHI other than as permitted herein and report to Healthcare Provider any use or disclosure of PHI not provided for by this Agreement of which it becomes aware;
c. make available to the Secretary of Health and Human Services, Business Associate’s practices, books and records relating to the use or disclosure of PHI for purposes of determining Healthcare Provider’s compliance with HIPAA, subject to any attorney-client or other privileges;
d. report to the Healthcare Provider, and mitigate to the extent practicable, any harmful effect that is known to Business Associate of uses or disclosures of PHI of which Business Associate becomes aware that do not comply with the terms herein;
e. to the extent that Healthcare Provider and Business Associate agree in writing that Business Associate shall maintain PHI as part of a Designated Record Set, upon Healthcare Provider’s request, provide access and make amendments to such PHI, in order to meet the requirements under HIPAA;
f. document such uses and disclosures of PHI and, upon Healthcare Provider’s request, provide such information as would be required for Healthcare Provider to account for disclosures of PHI as required under 45 CFR 164.528;
g. when Business Associate ceases to perform services for or on behalf of Healthcare Provider, Business Associate will destroy all PHI received or if such destruction of PHI is not feasible, continue to abide by the terms set forth herein with respect to such PHI;
h. following a discovery of a breach of Unsecured Protected Health Information, as defined in HITECH, notify Healthcare Provider of such breach within sixty (60) days of the discovery of the breach; and
i. to the extent Business Associate is to carry out one or more of Healthcare Provider’s obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to Healthcare Provider in the performance of such obligation(s).
3. Healthcare Provider Obligations. Healthcare Provider agrees to:
a. notify Business Associate of any limitations in the notice of privacy practices of Healthcare Provider under 45 CFR 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI;
b. notify Business Associate of any restrictions on the use or disclosure of PHI that Healthcare Provider has agreed to or is required to abide by under 45 CFR 164.522, to the extent that such restrictions may affect Business Associate’s use or disclosure of PHI;
c. notify Business Associate of any changes in, or revocation of, the permission by an Individual to use or disclose his or her PHI, to the extent that such changes may affect Business Associate’s use or disclosure of PHI;
d. not request Business Associate to use or disclose PHI in any manner that would not be permissible under Subpart E of 45 CFR Part 164 if done by Healthcare Provider; and
e. be responsible for notifying Individuals, Media, and the Secretary of a Breach of PHI by Healthcare Provider or Business Associate in accordance with 45 CFR 164.404, 164.406, and 164.408.
4. Term and Termination. The term of this BAA shall be effective as of the date last written below and shall terminate when Business Associate ceases to perform services for Healthcare Provider, except as provided in 2(g) above. Healthcare Provider may terminate this BAA if Business Associate fails to cure or take substantial steps to cure a material breach of this BAA within thirty (30) days after receiving written notice of such material breach from Healthcare Provider.
5. Agreement. This BAA constitutes the entire agreement between the parties. This BAA may be amended only in writing signed by Healthcare Provider and Business Associate. The parties agree to take such action to amend this BAA as is necessary to comply with the requirements of HIPAA and HITECH. This BAA and the rights and obligations of the parties hereunder shall in all respects be governed by, and construed in accordance with, the laws of the State of California, including all matters of construction, validity and performance. Each party irrevocably submits to the exclusive jurisdiction of the state and federal courts residing in Los Angeles County, California and the Central District Court of California, respectively arising out of any disputes of this BAA.