Toggle Nav
Shop our brands
Toggle Nav
Consumer Site
My Cart

Open a practitioner account today!

Select Store
Consumer Site
Search
Account
  • Home
  • HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT

This Business Associate Agreement (“Agreement”) is made and entered on the day of the last signature (“Effective Date”) between the covered entity signing this Agreement (“Covered Entity”) and Atrium (“Business Associate”).

WHEREAS, this Agreement is intended to comply with the Health Insurance and Portability and Accountability Act of 1996 (“HIPAA”) and will apply only to the extent that, in connection with performing services contemplated in the Pure Encapsulations Terms of Use (Professional Accounts) (“User Terms”), as the Agreement may be amended from time to time, the Business Associate has access to Covered Entity’s Protected Health Information and that access requires, pursuant to HIPAA, the Agreement be in place; and

NOW, THEREFORE, in consideration of the premises and mutual promises herein contained, it is agreed as follows:

I. Definitions

 (a) Breach. “Breach” shall have the same meaning as the term “breach” in 45 C.F.R. § 164.402.
 (b) Breach Notification Rule. “Breach Notification Rule” shall mean the Standards and Implementation Specifications for Notification of Breaches of Unsecured Protected Health Information under 45 C.F.R. Parts 160 and 164, subparts A and D.
 (c) Electronic Protected Health Information. “Electronic Protected Health Information” shall have the same meaning as the term “electronic protected health information” in 45 C.F.R. § 160.103.
 (d) Electronic Transactions Rule. “Electronic Transactions Rule” shall mean the final regulations issued by HHS concerning standard transactions and code sets under 45 C.F.R. Parts 160 and 162.
 (e) Genetic Information. “Genetic Information” shall have the same meaning as the term “genetic information” in 45 C.F.R. § 160.103.
 (f) HHS. “HHS” shall mean the Department of Health and Human Services.
 (g) HIPAA Rules. “HIPAA Rules” shall mean the Privacy Rule, Security Rule, Breach Notification Rule, and Enforcement Rule.
 (h) HITECH Act. “HITECH Act” shall mean the Health Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009.
 (i) Individual. “Individual” shall have the meaning set forth in HIPAA, except it shall be limited to persons who have rights under HIPAA with respect to their relationship with Covered Entity.
 (j) Privacy Rule. “Privacy Rule” shall mean the Privacy Standards and Implementation Specifications at 45 C.F.R. Parts 160 and 164, subparts A and E.
 (k) Protected Health Information. “Protected Health Information” or “PHI” shall have the same meaning as the term “protected health information” in 45 C.F.R. § 160.103, limited to the information created, received, maintained, or transmitted by Business Associate from or on behalf of Covered Entity pursuant to this Agreement.
 (l) Required by Law. “Required by Law” shall have the same meaning as the term “required by law” in 45 C.F.R. § 164.103.
 (m) Security Incident. “Security Incident” shall have the same meaning as the term “security incident” in 45 C.F.R. § 164.304.
 (n) Security Rule. “Security Rule” shall mean the Security Standards and Implementation Specifications at 45 C.F.R. Parts 160 and 164, subparts A and C.
 (o) Subcontractor. “Subcontractor” shall have the same meaning as the term “subcontractor” in 45 C.F.R. § 160.103.
 (p) Transaction. “Transaction” shall have the meaning given the term “transaction” in 45 C.F.R. § 160.103.
 (q) Unsecured Protected Health Information. “Unsecured Protected Health Information” shall have the meaning given the term “unsecured protected health information” in 45 C.F.R. § 164.402.

II. Privacy and Security of Protected Health Information

 (a) Permitted Uses and Disclosures. Business Associate is permitted to use and disclose PHI that it creates or receives on Covered Entity’s behalf or receives from Covered Entity, or another business associate of Covered Entity only as follows:
  (i) Functions and Activities on Covered Entity’s Behalf. To provide the services outlined in the User Terms.
  (ii) Business Associate’s Operations. Business Associate may use PHI for the proper management and administration of the Business Associate, or to carry out the legal responsibilities of the Business Associate as Required by Law.
  (iii) Minimum Necessary. Business Associate will, in its performance of the functions, activities, services, and operations specified above, make reasonable efforts to use, to disclose, and to request only the minimum amount of PHI reasonably necessary to accomplish the intended purpose of the use, disclosure, or request. Business Associate and Covered Entity acknowledge that the phrase “minimum necessary” shall be interpreted in accordance with the HITECH Act and the HIPAA Rules.
 (b) Prohibition on Unauthorized Use or Disclosure. Business Associate will neither use nor disclose PHI, except as permitted or required by this Agreement, the User Terms, or in writing by Covered Entity or as Required by Law. This Agreement does not authorize Business Associate to use or disclose PHI in a manner that would violate the HIPAA Rules if done by Covered Entity. Business Associate shall not de-identify PHI except as necessary to perform the services contemplated in the User Terms or to provide Covered Entity with summaries or other reports.
 (c) Information Safeguards.
  (i) Privacy of Protected Health Information. Business Associate will develop, implement, maintain, and use appropriate administrative, technical, and physical safeguards to protect the privacy of PHI. The safeguards must fully protect PHI from any intentional or unintentional use or disclosure in violation of the Privacy Rule, Security Rule, the terms of this Agreement, or the User Terms. To the extent the parties agree in the User Terms that the Business Associate will carry out directly on or more of Covered Entity’s obligations under the Privacy Rule, the Business Associate will comply with the requirements of the Privacy Rule that apply to the Covered Entity in the performance of such obligations.
  (ii) Security of Protected Health Information. Business Associate will comply with the Security Rule and will use, implement, and maintain appropriate administrative, technical, and physical safeguards that fully protect the confidentiality, integrity, and availability of PHI, including Electronic PHI, that Business Associate creates, receives, maintains, or transmits on Covered Entity’s behalf.
  (iii) Training. Business Associate will maintain internal policies and procedures related to maintaining the privacy and security of PHI and will train its workforce on HIPAA’s requirements to prevent the improper use or disclosure of PHI.
  (iv) Subcontractors. Business Associate will require each of its Subcontractors to agree, in a written agreement with Business Associate, to limitations and requirements as least as strict as those in this Agreement and to comply with the same provisions of the Security Rule, Privacy Rule, privacy safeguards (including, but not limited to, the obligations described in Section IV of this Agreement), and Breach Notification Rule with respect the PHI and Electronic PHI that are applicable to Business Associate under this Agreement and the User Terms.
  (v) Prohibition on Sale of Protected Health Information. Business Associate shall not engage in any sale (as defined in the HIPAA Rules) of PHI.

III. Individual Rights

 (a) Access. Where applicable, Business Associate will make available PHI in a Designated Record Set to the Covered Entity as necessary for Covered Entity to satisfy its obligations under 45 C.F.R. 164.524 in a timely manner. If the Covered Entity requests an electronic copy of PHI that is maintained in a Designated Record Set, Business Associate will provide an electronic copy in the form and format specified by the Covered Entity if it is readily producible in such format; if it is not readily producible in such format, Business Associate will work with the Covered Entity to determine an alternative form and format that enable Covered Entity to meet its electronic access obligations under 45 C.F.R. § 164.524.
 (b) Amendment. Where applicable, Business Associate will make any amendment(s) to PHI in a Designated Record Set as directed or agreed to by the Covered Entity pursuant to 45 C.F.R. 164.526 or take other measures as necessary to satisfy Covered Entity’s obligations in a timely manner under 45 C.F.R. 164.526.
 (c) Disclosure Accounting. Where applicable, Business Associate will maintain and make available the information required to provide an accounting of disclosures to the Covered Entity as necessary for the Covered Entity to satisfy its obligations in a timely manner under 45 C.F.R. 164.528. Business Associate will maintain the disclosure information for at least six (6) years following the date of the accountable disclosure to which the disclosure information relates.
 (d) Restriction Agreements and Confidential Communications. Covered Entity shall notify Business Associate of any limitations in the notice of privacy practices of Covered Entity under 45 C.F.R. § 164.520, or any other limitations Covered Entity imposes on the use or disclosure of PHI, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI. Business Associate will comply with any notice from Covered Entity to (1) restrict use or disclosure of PHI pursuant to 45 C.F.R. § 164.522(a), or (2) provide for confidential communications of PHI pursuant to 45 C.F.R. § 164.522(b), provided that Covered Entity notifies Business Associate in writing of the restriction or confidential communications obligations that Business Associate must follow. Business Associate agrees to comply with any restriction request from the Covered Entity.

IV. Breaches and Security Incidents

 (a) Reporting.
  (i) Impermissible Use or Disclosure. Business Associate will report to Covered Entity any use or disclosure of PHI not permitted by this Agreement not more than ten (10) calendar days after Business Associate becomes aware of such non-permitted use or disclosure.
  (ii) Breach of Unsecured Protected Health Information. Business Associate will report to Covered Entity any potential Breach of Unsecured PHI not more than ten (10) calendar days after discovery of such potential Breach. Business Associate will treat a potential Breach as being discovered in accordance with 45 C.F.R. § 164.410. Business Associate will make the report to Covered Entity. If a delay is requested by a law-enforcement official in accordance with 45 C.F.R. § 164.412, Business Associate may delay notifying Covered Entity for the applicable time period. Business Associate’s report will include at least the following:
   1) Identify the nature of the Breach, which will include a brief description of what happened, including the date of any Breach and the date of the discovery of any Breach;
   2) Identify the types of PHI that were involved in the Breach (such as device serial number);
   3) Identify who made the non-permitted use or disclosure and who received the non-permitted disclosure;
   4) Identify what corrective or investigational action Business Associate took or will take to prevent further non-permitted uses or disclosures, to mitigate harmful effects, and to protect against any further Breaches;
   5) Identify what steps the individuals who were subject to a Breach should take to protect themselves; and
   6) Provide such other information, including a written report and risk assessment under 45 C.F.R. § 164.402, as Covered Entity may reasonably request.
  (iii) Breach Notification. Business Associate will, unless otherwise requested by the Covered Entity, without unreasonable delay and in no case longer than sixty (60) calendar days after discovery of a Breach, notify each affected individual of the Breach (and to the extent the Breach involves more than 500 residents of a State or jurisdiction, prominent media outlets serving the State or jurisdiction). Such notice will contain the information required under 45 C.F.R. § 164.404. Business Associate will also notify HHS of a Breach as required under 45 C.F.R. § 164.408. Unless otherwise requested by Covered Entity, Business Associate will fulfill the requirements of this subsection for a Breach of PHI used, disclosed, transmitted, or maintained by its Subcontractors. Covered Entity shall be given the opportunity to review and revise any communications made under this subsection at least fifteen (15) days prior to the deadline that the communication must be made as required under the Breach Notification Rule.
  (iv) Security Incidents. Business Associate will report to Covered Entity any Security Incident of which Business Associate becomes aware within ten (10) calendar days, except if any such Security Incident resulted in a disclosure not permitted by this Agreement or Breach of Unsecured PHI, Business Associate will make the report in accordance with the provisions set forth above.
   1) Mitigation. Business Associate shall mitigate, to the extent practicable, any harmful effect known to the Business Associate resulting from a use or disclosure in violation of this Agreement.
   2) Additional State and Federal Law. Business Associate will comply with other Federal, State, and local privacy and security laws, rules, and regulations that apply to personal information, including PHI, held by the Business Associate or Subcontractor that are not preempted by HIPAA, including, but not limited to, fulfilling all State and local notification requirements applicable to a breach or other impermissible disclosure of personal information, regardless of whether the personal information includes PHI. Covered Entity shall be given the opportunity to review and revise any communications made under this subsection at least fifteen (15) days prior to the deadline that the communication must be made as required under applicable law.
   3) Protective Measures. If Covered Entity determines that the information disclosed is the type of information that could be used to cause financial or any other harm to an Individual, Business Associate, at its own expense, will arrange for and provide all affected Individuals with two (2) years of credit monitoring. Covered Entity may also require Business Associate, at its own expense, to arrange for and provide an alternative, or additional, protective measure to affected Individuals.
   4) Obligations Continue After Termination. To the extent the Business Associate, or its Subcontractor, retains PHI after the termination of the underlying User Terms, the requirements and obligations of this Section IV shall survive the termination of this Agreement and the underlying User Terms until the time all PHI is either returned to the Covered Entity or destroyed.

V. Term and Termination

 (a) Term. This Agreement shall be effective as of the Effective Date, and shall terminate upon termination of underlying User Terms, subject to the provisions in this Agreement regarding return or destruction of PHI and Section IV.
 (b) Right to Terminate for Cause. Covered Entity may terminate this Agreement if it determines, in its sole discretion, that Business Associate has breached any provision of this Agreement, and after written notice to Business Associate of the breach, Business Associate has failed to cure the breach within fifteen (15) calendar days after receipt of the notice. Any such termination will be effective immediately or at such other date specified in Covered Entity’s notice of termination.
 (c) Treatment of Protected Health Information on Termination.
  (i) Return or Destruction of Protected Health Information Is Feasible. Upon termination of this Agreement, Business Associate will, if feasible, return to Covered Entity or destroy all PHI in whatever form or medium, including all copies thereof and all data, compilations, and other works derived therefrom that allow identification of any individual who is a subject of the PHI. This provision shall apply to PHI that is in the possession of any Subcontractors of Business Associate. Further, Business Associate shall require any such Subcontractor to certify to Business Associate that it has returned or destroyed all such information which could be returned or destroyed. Business Associate will complete these obligations as promptly as possible, but not later than fifteen (15) calendar days following the effective date of the termination of this Agreement.
  (ii) Procedure When Return or Destruction Is Not Feasible. Business Associate will identify any PHI, including any PHI that Business Associate has disclosed to Subcontractors, that cannot feasibly be returned to Covered Entity or destroyed and explain why return or destruction is infeasible. Business Associate will limit its further use or disclosure of such information to those purposes that make return or destruction of such information infeasible. Business Associate will complete these obligations as promptly as possible, but not later than fifteen (15) calendar days following the effective date of the termination or other conclusion of Agreement.
  (iii) Continuing Privacy and Security Obligation. Business Associate’s obligation to protect the privacy and safeguard the security of PHI as specified in this Agreement will be continuous and survive termination or other conclusion of this Agreement.

VI. General Provisions

 (a) Definitions. All terms that are used but not otherwise defined in this Agreement shall have the meaning specified under HIPAA, including its statute, regulations, and other official government guidance.
 (b) Inspection of Internal Practices, Books, and Records. Business Associate reasonably will make its internal practices and records relating to its use and disclosure of PHI available to Covered Entity and to HHS to determine compliance with the HIPAA Rules. Business Associate shall notify Covered Entity immediately upon receipt of a request by HHS to review the Covered Entity’s materials.
 (c) Amendment to Agreement. This Agreement may be amended only by a written instrument signed by the parties. In case of a change in applicable law, this Agreement shall automatically amend such that the obligations imposed on Business Associate or Covered Entity remain in compliance with HIPAA.
 (d) No Third-Party Beneficiaries. Nothing in this Agreement shall be construed as creating any rights or benefits to any third parties.
 (e) Interpretation. Any ambiguity in the Agreement shall be resolved to permit Covered Entity and Business Associate to comply with the applicable requirements under the HIPAA Rules.
 (f) Severability. The invalidity or unenforceability of any provisions of this Agreement shall not affect the validity or enforceability of any other provision of this Agreement, which shall remain in full force and effect.
 (g) Construction and Interpretation. The section headings contained in this Agreement are for reference purposes only and shall not in any way affect the meaning or interpretation of this Agreement. This Agreement may be executed in counterparts, each of which shall be deemed to be an original, but all of which, taken together, shall constitute one and the same agreement.
 (h) Notices. All notices and communications required by this Agreement shall be in writing and delivered by a (i) nationally recognized, next-day courier service, (ii) first-class, registered, or certified mail, postage prepaid; or (iii) by electronic mail to the address that each party specifies in writing.
 (i) Entire Agreement. This Agreement, together with the User Terms, constitutes the entire agreement between the parties with respect to its subject matter and constitutes and supersedes all prior agreements, representations, and understandings of the parties, written or oral, with regard to this same subject matter.