This BUSINESS ASSOCIATE AGREEMENT ("BAA") is entered into by and between MediaLab Solutions, LLC ("Business Associate") and Covered Entity effective as of the date that Covered Entity first receives services from Business Associate that involve access to or custody of Protected Health Information (the "Effective Date"). "Covered Entity" means, in the case of an individual accepting this BAA on his or her behalf, such individual, or in the case of an individual accepting this BAA on behalf of a company or other legal entity, the company or other legal entity for which such individual is accepting this BAA, along with any Affiliate of such company or entity named in any ordering documents or online orders specifying the services to be provided to Covered Entity by Business Associate (each an "Order Form" and, collectively, the "Order Forms") or whose laboratory site(s) or Authorized Users are included within the scope of the site-based or Authorized User-based licensing limitations set forth in the Order Form(s). "Affiliate" means an entity that directly or indirectly controls (i.e., control is direct or indirect ownership or control of more than 50% of the voting interests), is controlled by, or is under common control with the subject company or legal entity.
BY CHECKING A BOX OR OTHERWISE AFFIRMATIVELY OPTING INTO THIS BAA IN AN ACCEPTED ORDER FORM YOU (A) ACKNOWLEDGE THAT YOU HAVE READ AND UNDERSTAND THIS BAA; (B) REPRESENT AND WARRANT THAT YOU HAVE THE RIGHT, POWER, AND AUTHORITY TO ENTER INTO THIS BAA AND, IF ENTERING INTO THIS AGREEMENT FOR AN ORGANIZATION, THAT YOU HAVE THE LEGAL AUTHORITY TO BIND THAT ORGANIZATION AND ITS AFFILIATES (AND YOU AGREE THAT ALL REFERENCES IN THIS AGREEMENT TO "COVERED ENTITY" INCLUDES SUCH ORGANIZATION AND ITS AFFILIATES); AND (C) ACCEPT THIS BAA AND AGREE THAT COVERED ENTITY IS LEGALLY BOUND BY ITS TERMS. IF YOU DO NOT HAVE AUTHORITY TO ACCEPT THIS BAA OR DO NOT AGREE TO THESE TERMS, YOU MUST NOT ACCEPT THIS BAA.
1. Definitions
1.1. Breach shall have the same meaning as the term "breach" in 45 CFR §164.402.
1.2. Designated Record Set shall have the same meaning as the term "designated record set" in 45 CFR §164.501.
1.3. Electronic Protected Health Information shall have the same meaning as the term "electronic protected health information" in 45 CFR §160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity.
1.4. Individual shall have the same meaning as the term "individual" in 45 CFR § 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 CFR § 164.502(g).
1.5. Privacy Rule shall mean 45 CFR Part 160 and Part 164, Subparts A and E.
1.6. Protected Health Information shall have the same meaning as the term "protected health information" in 45 CFR § 160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity.
1.7. Required By Law shall have the same meaning as the term "required by law" in 45 CFR § 164.103.
1.8. Secretary shall mean the Secretary of the Department of Health and Human Services or his or her designee.
1.9. Security Incident shall have the same meaning as the term "security incident" in 45 CFR § 164.304.
1.10. Security Rule shall mean 45 CFR Part 160 and Party 164, Subparts A and C.
1.11. Subcontractor shall have the same meaning as the term "subcontractor" in 45 CFR § 160.103.
1.12. Unsecured Protected Health Information shall have the same meaning as the term "unsecured protected health information" in 45 CFR § 164.402.
Unless otherwise provided in this BAA, all terms have the same meaning as set forth in HIPAA, as amended. All citations to the Code of Federal Regulations set forth in this BAA shall include all subsequent, updated, amended and/or revised provisions thereto.
2. Obligations and Activities of Business Associate
2.1. Business Associate agrees to not use or further disclose Protected Health Information other than as permitted or required by this BAA or as Required By Law.
2.2. Business Associate agrees to use appropriate safeguards and comply, where applicable, with the Security Rule with respect to Electronic Protected Health Information, to prevent use or disclosure of the information other than as provided for by this BAA.
2.3. Business Associate agrees to report to Covered Entity any use or disclosure of the Protected Health Information not provided for by this BAA of which it becomes aware, including any Breaches of Unsecured Protected Health Information as required by 45 CFR §164.410.
2.4. In accordance with 45 CFR §164.502(e)(1)(ii), Business Associate agrees to ensure that any Subcontractors that create, receive, maintain, or transmit Protected Health Information on behalf of Business Associate agree to restrictions and conditions substantially similar to those that apply through this BAA to Business Associate with respect to such information.
2.5. If Business Associate maintains Protected Health Information in a Designated Record Set, Business Associate agrees to make available such Protected Health Information as necessary to satisfy Covered Entity's obligations under 45 CFR § 164.524 and make available such Protected Health Information for amendment and incorporate any amendments to such Protected Health Information as necessary to satisfy Covered Entity's obligations under 45 CFR § 164.526.
2.6. Business Associate agrees to make its internal practices, books, and records relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of Covered Entity, available to the Secretary for purposes of the Secretary determining Covered Entity's compliance with the Privacy Rule.
2.7. Business Associate agrees to maintain and make available the information required to provide an accounting of disclosures of Protected Health Information as necessary to satisfy Covered Entity's obligations under 45 CFR § 164.528 and the HITECH Act.
2.8. With respect to Electronic Protected Health Information, Business Associate agrees to (a) comply with the applicable requirements of the Security Rule, (b) in accordance with 45 CFR §164.308(b)(2), ensure that any Subcontractors that create, receive, maintain or transmit Electronic Protected Health Information on behalf of Business Associate agree to comply with the applicable requirements of the Security Rule by entering into a contract or other arrangement that complies with 45 CFR §164.314, and (c) report to Covered Entity any Security Incident of which it becomes aware, including Breaches of Unsecured Protected Health Information as required by 45 CFR §164.410. This section constitutes ongoing notice by Business Associate to Covered Entity of the existence and occurrence of attempted but Unsuccessful Security Incidents for which no additional notice to Covered Entity is required. The term "Unsuccessful Security Incidents" includes, without limitation: pings and other broadcast attacks on Business Associate's firewalls, port scans, unsuccessful log-on attempts, denial of service attacks, and any combination of the foregoing, so long as no such incident results in unauthorized access to, use or disclosure of Electronic Protected Health Information.
2.9. To the extent Business Associate is to carry out any obligation of Covered Entity under the Privacy Rule, Business Associate shall comply with the requirements of the Privacy Rule that apply to the Covered Entity with respect to such obligation.
3. Permitted Uses and Disclosures by Business Associate
3.1. Business Associate may use or disclose Protected Health Information to perform functions, activities or services for or on behalf of Covered Entity pursuant to the Services Arrangement, provided that any such use or disclosure would not violate the Privacy Rule if done by Covered Entity.
3.2. Business Associate may use Protected Health Information for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate.
3.3. Business Associate may disclose Protected Health Information for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate, provided that disclosures are Required By Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
3.4. Business Associate may use Protected Health Information to provide data aggregation services to Covered Entity, as permitted by 42 CFR § 164.504(e)(2)(i)(B), and Business Associate may de-identify Protected Health Information provided that such de-identification conforms to the requirements of the Privacy Rule.
3.5. Business Associate may use Protected Health Information to report violations of law to appropriate Federal and State authorities, consistent with § 164.502(j)(1).
4. Obligations of Covered Entity
4.1. Covered Entity shall not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under the Privacy Rule if done by Covered Entity, except that Business Associate may use or disclose Protected Health Information as specified in Section 3 above.
4.2. Covered Entity shall notify Business Associate of any limitation(s) in the notice of privacy practices of Covered Entity in accordance with 45 CFR § 164.520, to the extent that such limitation may affect Business Associate's use or disclosure of Protected Health Information.
4.3. Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by any Individual to use or disclose Protected Health Information, to the extent that such changes may affect Business Associate's use or disclosure of Protected Health Information.
4.4. Covered Entity shall notify Business Associate of any restriction on the use or disclosure of Protected Health Information that Covered Entity has agreed to in accordance with 45 CFR § 164.522, to the extent that such restriction may affect Business Associate's use or disclosure of Protected Health Information.
5. Term and Termination
5.1. Term. The term of this BAA shall begin as of the Effective Date and shall terminate upon (i) the later of the termination or expiration of the Services Arrangement or the cessation of all services pursuant to the Services Arrangement or (ii) the termination of this BAA pursuant to Section 5.2 below.
5.2. Termination for Cause. This BAA may be terminated by either party upon the material breach of this BAA by the other party in the event that the defaulting party fails to cure such material breach within thirty (30) days following written notice from the non-defaulting party describing such material breach.
5.3. Effect of Termination. Upon termination of this BAA for any reason, Business Associate shall return or destroy all Protected Health Information received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity. Notwithstanding the foregoing sentence, in the event Business Associate determines that returning or destroying certain Protected Health Information is infeasible, Business Associate shall retain such Protected Health Information, extending the protections of this BAA to such Protected Health Information and limiting further uses and disclosures of such Protected Health Information to those purposes for which such PHI was retained. For purposes of this Section 5.3, "infeasible" includes but is not limited to circumstances in which further use or disclosure of Protected Health Information is or may be Required By Law or otherwise necessary for Business Associate's proper management and administration or carrying out its legal responsibilities.
6. Miscellaneous
6.1. Regulatory References. A reference in this BAA to a section in the Privacy or Security Rule or other section of the HIPAA regulations means the section as in effect or as amended.
6.2. Survival. Any provision of this BAA which imposes an obligation after termination of this BAA, including but not limited to Sections 5.3 and 6.3, shall survive the termination of this BAA and continue to be binding on the parties.
6.3. Interpretation; Entire Agreement. Any ambiguity in this BAA shall be resolved to permit Covered Entity and Business Associate to comply with HIPAA. With respect to the subject matter of this BAA, this BAA supersedes all previous contracts by and between the parties and, together with the Services Arrangement and Order Form(s), constitutes the entire agreement between the parties. In the event that a provision of this BAA conflicts with a provision of the Services Arrangement or Order Form(s), the provision of this BAA shall control; provided, however, that to the extent any provision within the Services Arrangement imposes more stringent requirements than those required in the BAA, the parties agree to adhere to the terms of the Services Arrangement. Otherwise, this BAA shall be construed under, and in accordance with, the terms of the Services Arrangement. NOTWITHSTANDING ANYTHING TO THE CONTRARY IN THIS BAA, THE SERVICES ARRANGEMENT, THE ORDER FORM(S) OR IN ANY OTHER CUSTOMER STANDARD TERMS OR DOCUMENTS, THIS BAA SHALL BE GOVERNED BY ANY LIMITATION OF LIABILITY PROVISIONS SET FORTH IN THE SERVICES ARRANGEMENT.
6.4. Binding Effect. This BAA shall be binding upon and shall inure to the benefit of the parties, their respective successors and permitted assignees.
6.5. Notices. Any notice required or permitted under this BAA shall be given in writing and delivered by electronic mail or facsimile with confirmation of receipt, by hand, by nationally recognized overnight delivery service or by registered or certified mail, postage pre-paid and return receipt requested, to Business Associate at the address set forth below or to Covered Entity at the notice address set forth in the Order Form.
Business Associate: MediaLab Solutions, LLC
Attention: Timothy Westover
1745 North Brown Road, Suite 300
Lawrenceville GA 30043
Notice of a change in address of one of the parties shall be given in writing to the other party as provided above. All notices shall be effective upon receipt.
6.6. Governing Law. To the extent not preempted by Federal law, this BAA shall be governed and construed in accordance with the laws of the State of Georgia, without regard to conflicts of law provisions that would require application of the law of another state.
6.7. No Third Party Beneficiaries. Nothing express or implied in this BAA is intended to confer, nor shall anything herein confer, upon any person other than the parties and the respective successors and assigns of the parties any rights, remedies, obligations, or liabilities whatsoever.
6.8. Other Requirements. Business Associate and Covered Entity agree that, to the extent not incorporated or referenced in this BAA, other requirements under the HITECH Act (as well as any other requirements under HIPAA) that apply to business associates, and that are required to be incorporated by reference in a business associate agreement, are incorporated into this BAA as if set forth in this BAA in their entirety and are effective as of the applicable date for each such requirement on which the Secretary will require business associates to comply with such requirement. Business Associate shall comply with the obligations of a business associate as prescribed by HIPAA and the HITECH Act commencing on the applicable date of each such requirement.
