HIPAA Business Associate Agreement

RECITALS

Paperwise is a “Business Associate” of Covered Entities, as those terms are defined under the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-91), as amended, (“HIPAA”), and the regulations promulgated thereunder by the Secretary of the U.S. Department of Health and Human Services (“Secretary”), including, without limitation, the regulations codified at 45 C.F.R. Parts 160 and 164 (“HIPAA Regulations”);
In the performance of Business Associate functions or services on behalf of Covered Entities, Paperwise subcontracts with certain other entities that perform Services for or on behalf of Paperwise, and in performing said Services, create, receive, maintain, or transmit Protected Health Information (“PHI”). Such “Subcontractors” are defined as “Business Associates” of Paperwise pursuant to the HIPAA Regulations;
The Parties intend to protect the privacy and provide for the security of PHI Disclosed by Paperwise to Business Associate, or received or created by Business Associate, when providing Services in compliance with HIPAA, the Health Information Technology for Economic and Clinical Health Act (Public Law 111-005) (“the HITECH Act”) and its implementing regulations and guidance issued by the Secretary, and other applicable state and federal laws, all as amended from time to time; and
Paperwise is required under HIPAA to enter into a BAA with each Business Associate Subcontractor that meets certain requirements with respect to the Use and Disclosure of PHI, which are met by this BAA.

AGREEMENT

In consideration of the Recitals and for other good and valuable consideration, the receipt and adequacy of which is hereby acknowledged, the Parties agree as follows:

Article I DEFINITIONS

The following terms shall have the meaning set forth below. Capitalized terms used in this BAA and not otherwise defined shall have the meanings ascribed to them in the HIPAA Regulations.

1.1. “Breach” shall have the meaning given under and 45 C.F.R. § 164.402.

1.2. “Designated Record Set” shall have the meaning given such term under 45 C.F.R. § 164.501.

1.3. “Disclose” and “Disclosure” mean, with respect to PHI, the release, transfer, provision of access to, or divulging in any other manner of PHI outside of Business Associate or to other than member of its Workforce, as set forth in 45 C.F.R. § 160.103.

1.4. “Electronic PHI” or “e-PHI” means PHI that is transmitted or maintained in electronic media, as set forth in 45 C.F.R. § 160.103.

1.5. “Protected Health Information” and “PHI” mean any information, whether oral or recorded in any form or medium, that: (a) relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual, or the past, present or future payment for the provision of health care to an individual; (b) identifies the individual (or for which there is a reasonable basis for believing that the information can be used to identify the individual); and (c) shall have the meaning given to such term under 45 C.F.R. § 160.103. Protected Health Information includes e-PHI.

1.6. “Required by Law” shall have the meaning given to such term under 45 C.F.R.
§ 160.103.

1.7. “Security Incident” shall have the meaning given to such term under 45 C.F.R. § 164.304.

1.8. “Services” shall mean the services for or functions on behalf of Paperwise performed by Business Associate pursuant to any service agreement(s) between Paperwise and Business Associate which may be in effect now or from time to time (“Underlying Agreement”), or, if no such agreement is in effect, the services or functions performed by Business Associate that constitute a Business Associate relationship between Paperwise and Business Associate, as set forth in 45 C.F.R. § 160.103.

1.9. “Unsecured PHI” shall have the meaning given to such term under 42 U.S.C. § 17932(h), 45 C.F.R. § 164.402, and guidance issued pursuant to the HITECH Act including, but not limited to the guidance issued on April 17, 2009 and published in 74 Federal Register 19006 (April 27, 2009) by the Secretary.

1.10. “Use” or “Uses” mean, with respect to PHI, the sharing, employment, application, utilization, examination or analysis of such PHI within Business Associate’s internal operations, as set forth in 45 C.F.R. § 160.103.

1.11. “Workforce” shall have the meaning given to such term under 45 C.F.R. § 160.103.

Article II OBLIGATIONS OF subcontractor

2.1. Permitted Uses and Disclosures of Protected Health Information. Business Associate shall not Use or Disclose PHI received, accessed, or created for or on behalf of Paperwise except to perform the Services required by any Underlying Agreement, or as permitted by this BAA or Required by Law. Business Associate shall not Use or Disclose PHI in any manner that would constitute a violation of the HIPAA Regulations if so Used or Disclosed by Paperwise or a Covered Entity. Creation, Use, or Disclosure of de-identified PHI is not permitted by this BAA without the prior written consent of Paperwise.

2.2. Compliance with Privacy Provisions. Business Associate shall only Use and Disclose PHI in compliance with each applicable requirement of 45 C.F.R. § 164.504(e).

2.3. Adequate Safeguards of PHI. Business Associate shall comply with Subpart C of 45 C.F.R. Part 164 with respect to PHI, to reasonably and appropriately protect the confidentially, integrity, and availability of e-PHI that it creates, receives, maintains or transmits on behalf of Paperwise.

2.4. Mitigation. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a Use or Disclosure of PHI by Business Associate in violation of the requirements of this BAA.

2.5. Reporting Non-Permitted Use or Disclosure.

2.5.1. Reporting Security Incidents and Non-Permitted Uses or Disclosures. Business Associate shall report to Paperwise in writing each Security Incident or Use or Disclosure that is made by Business Associate, members of its Workforce, or Subcontractors that is not specifically permitted by this BAA no later than three (3) calendar days after becoming aware of such Security Incident or non-permitted Use or Disclosure, in accordance with the notice provisions set forth herein. Notwithstanding the foregoing, Business Associate and Paperwise acknowledge the ongoing existence and occurrence of attempted but ineffective Security Incidents that are trivial in nature, such as pings and other broadcast service attacks, and Paperwise acknowledges and agrees that no additional notification to Covered Entity of such ineffective Security Incidents is required, as long as no such incident results in unauthorized access, Use or Disclosure of PHI. Business Associate shall investigate each unauthorized access, acquisition, Use, or Disclosure of PHI that it creates, receives, maintains, or transmits for or on behalf of Paperwise. If such Security Incident or non-permitted Use or Disclosure constitutes a reportable Breach of Unsecured PHI, then Paperwise shall comply with the requirements of Section 2.5.2 below.

2.5.2. Breach of Unsecured PHI. Business Associate shall notify Paperwise of such Breach in writing without unreasonable delay but no later than three (3) calendar days after Discovery of the Breach. Business Associate shall be deemed to have Discovered a Breach as of the first day that the Breach is either known to Business Associate or any of its employees, officers or agents, other than the person who committed the Breach, or by exercising reasonable diligence should have been known to Business Associate or any of its employees, officers or agents, other than the person who committed the Breach. To the extent the information is available to Business Associate, Business Associate’s written notice shall include the information required by 45 C.F.R. §164.410. Business Associate shall promptly supplement the written report with additional information regarding the Breach as it obtains such information. Business Associate shall cooperate with Paperwise in meeting Paperwise’s obligations with respect to such Breach. Paperwise shall have sole control over the timing and method of providing notification of such Breach to the affected individual(s), the Secretary and, if applicable, the media. Business Associate shall reimburse Paperwise for its reasonable costs and expenses in providing the notification, including, but not limited to, any administrative costs associated with providing notice, printing and mailing costs, and costs of mitigating the harm (which may include the costs of obtaining credit monitoring services and identity theft insurance) for affected individuals whose PHI has or may have been compromised as a result of the Breach.

2.5.3. Security Breaches. The Missouri Notice of Unauthorized Acquisition of Personal Information Law (s. 134.98, Wis. Stats.) delineates notification requirements in the event of a breach in the security of certain “personal information.” Business Associate agrees that in the event that PHI constituting “personal information” to which Business Associate has access is acquired by any unauthorized person, Business Associate shall notify Paperwise of the breach of security within three (3) calendar days, and comply with all legal requirements with respect thereto.

2.6. Delegated Responsibilities. To the extent that Business Associate carries out one or more of Paperwise’s obligations under Subpart E of 45 C.F.R. Part 164, Business Associate must comply with the requirements of Subpart E that apply to Covered Entities in the performance of such obligations.

2.7. Availability of Internal Practices, Books, and Records to Government. Business Associate agrees to make its internal practices, books and records relating to the Use and Disclosure of PHI received from, or created or received by the Business Associate on behalf of Paperwise available to the Secretary for purposes of determining Paperwise’s compliance with HIPAA, the HIPAA Regulations, and the HITECH Act.

2.8. Access to and Amendment of Protected Health Information. To the extent that Business Associate maintains a Designated Record Set on behalf of Paperwise and within ten (10) calendar days of such request by Paperwise, Business Associate shall (a) make the PHI it maintains (or which is maintained by its Subcontractors) in Designated Record Sets available to Paperwise for inspection and copying or, if requested by Paperwise, to an individual, to enable Paperwise to fulfill its obligations under 45 C.F.R. § 164.524, or (b) amend the PHI it maintains (or which is maintained by its Subcontractors) in Designated Record Sets to enable Paperwise to fulfill its obligations under 45 C.F.R. § 164.526. If Business Associate maintains PHI in a Designated Record Set electronically, Business Associate shall provide such information in the electronic form and format requested by Paperwise if it is readily reproducible in such form and format, and, if not, in such other form and format agreed to by Paperwise to enable Paperwise to fulfill its obligations under 45 C.F.R. § 164.524(c)(2).

2.9. Accounting. To the extent that Business Associate maintains a Designated Record Set on behalf of Paperwise, within twenty (20) calendar days of receipt of a request from Paperwise or an individual for an accounting of disclosures of PHI, Business Associate and its Subcontractors shall make available to Paperwise the information required to provide an accounting of disclosures to enable Paperwise to fulfill its obligations under 45 C.F.R. § 164.528.

2.10. Use of Subcontractors. Business Associate shall require each of its Subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate, to execute a written agreement that includes substantially the same restrictions and conditions that apply to Business Associate under this BAA with respect to PHI.

2.11. Audit. Paperwise shall have the right to audit and monitor all applicable activities and records of Business Associate to determine Business Associate’s compliance with the requirements relating to the creation or Use and Disclosure of PHI as it relates to the privacy and security sections of this BAA.

2.12. Minimum Necessary. Business Associate (and its Business Associates) shall, to the extent practicable, limit its request, Use, or Disclosure of PHI to the minimum amount of PHI necessary to accomplish the purpose of the request, Use or Disclosure, in accordance with 42 U.S.C. § 17935(b) and 45 C.F.R. § 164.502(b)(1) or any other guidance issued thereunder.

Article III TERM AND TERMINATION

3.1. Term. Subject to the provisions of Section 3.2, the term of this BAA shall be the term of any Underlying Agreement.

3.2. Termination for Cause. In addition to and notwithstanding the termination provisions set forth in any Underlying Agreement, upon Paperwise’s knowledge of a material breach or violation of this BAA by Business Associate, Paperwise shall either:

3.2.1. Notify Business Associate of the breach in writing, and provide an opportunity for Business Associate to cure the breach or end the violation within ten (10) business days of such notification; provided that if Business Associate fails to cure the breach or end the violation within such time period to the satisfaction of Paperwise, Paperwise may immediately terminate this BAA and any Underlying Agreement upon written notice to Business Associate; or

3.2.2. Upon written notice to Business Associate, immediately terminate this BAA and any Underlying Agreement if Paperwise determines that such breach cannot be cured.

3.3. Disposition of Protected Health Information Upon Termination.

3.3.1. Upon termination or expiration of this BAA, Business Associate shall either return or destroy all PHI received from, or created or received by Business Associate on behalf of Paperwise, that Business Associate still maintains in any form and retain no copies of such PHI. If Paperwise requests that Business Associate return PHI, PHI shall be returned in a mutually agreed upon format and timeframe, at no additional charge to Paperwise.

3.3.2. If return or destruction is not feasible, Business Associate shall (a) retain only that PHI which is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities; (b) return to Paperwise the remaining PHI that the Business Associate still maintains in any form; (c) continue to extend the protections of this BAA to the PHI for as long as Business Associate retains the PHI; (d) limit further Uses and Disclosures of such PHI to those purposes that make the return or destruction of the PHI not feasible and subject to the same conditions set out in Section 2.1 – 2.3 above, which applied prior to termination; and (e) return to Paperwise the PHI retained by Business Associate when it is no longer needed by Business Associate for its proper management and administration or to carry out its legal responsibilities.

Article IV MISCELLANEOUS

4.1. Amendment to Comply with Law. This BAA shall be deemed amended to incorporate any mandatory obligations of Paperwise or Business Associate under the HITECH Act and its implementing HIPAA Regulations. Additionally, the Parties agree to take such action as is necessary to amend this BAA from time to time as necessary for Paperwise to implement its obligations pursuant to HIPAA, the HIPAA Regulations, or the HITECH Act.

4.2. Relationship to Underlying Agreement Provisions. In the event that a provision of this BAA is contrary to a provision of an Underlying Agreement, the provision of this BAA shall control. Otherwise, this BAA shall be construed under, and in accordance with, the terms of such Underlying Agreement, and shall be considered an amendment of and supplement to such Underlying Agreement, subject to Section 4.3 below.

4.3. Indemnification. Notwithstanding anything to the contrary which may be contained in any Underlying Agreement, including but not limited to any limitations on liability contained therein, Business Associate hereby agrees to indemnify and hold harmless Paperwise, its affiliates, and their respective officers, directors, managers, members, shareholders, employees and agents from and against any and all fines, penalties, damages, claims or causes of action and expenses (including, without limitation, court costs and attorney’s fees) arising from any violation of HIPAA, the HIPAA Regulations, or the HITECH Act or from any negligence or wrongful acts or omissions (including but not limited to failure to perform its obligations) that results in a violation of HIPAA, the HIPAA Regulations, or the HITECH Act, by Business Associate or its employees, directors, officers, Business Associates, or other members of Business Associate’s Workforce. In the event of a Breach, Paperwise shall be entitled to enjoin and restrain Business Associate from any continued violation of this BAA.

4.4. Notices. Any notices required or permitted to be given hereunder by either Party to the other shall be given in writing: (1) by personal delivery; (2) by electronic mail or facsimile with confirmation sent by United States first class registered or certified mail, postage prepaid, return receipt requested; (3) by bonded courier or by a nationally recognized overnight delivery service; or (4) by United States first class registered or certified mail, postage prepaid, return receipt, in each case, addressed to a Party on the signature page(s) to this BAA, or to such other addresses as the Parties may request in writing by notice given pursuant to this Section 4.4. Notices shall be deemed received on the earliest of personal delivery; upon delivery by electronic facsimile with confirmation from the transmitting machine that the transmission was completed; twenty-four (24) hours following deposit with a bonded courier or overnight delivery service; or seventy-two (72) hours following deposit in the U.S. mail as required herein.

4.6. Interpretation. This BAA shall be interpreted as broadly as necessary to implement and comply with HIPAA, the HIPAA Regulations and the HITECH Act. The parties agree that any ambiguity in this BAA shall be resolved in favor of a meaning that complies and is consistent with such laws.4.5. Relationship of Parties. Notwithstanding anything to the contrary in any Underlying Agreement, Business Associate is an independent contractor and not an agent of Paperwise under this BAA. Business Associate has the sole right and obligation to supervise, manage, contract, direct, procure, perform or cause to be performed all Business Associate obligations under this BAA.

4.7. State Privacy Laws. Business Associate shall comply with state laws to extent that such state privacy laws are not preempted by HIPAA or the HITECH Act.

4.8. Survival. The respective rights and obligations of the Parties under Sections 2.4, 3.3, and 4.3 of this BAA shall survive the termination of this BAA.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.