Business Associate Agreement
DOCPACE Business Associate Agreement
Effective Date: October 27, 2021
Last Modified: March 14, 2024
This Business Associate Agreement (this "Agreement") is entered into by and between you ("Covered Entity") and DOCPACE, Inc. (“DOCPACE” or "Business Associate") and shall be effective when you check the "I Agree" box and click the "Submit" Button to sign up for any of the Services (defined below) and/or when you enter into any agreement with DOCPACE relative to any of the Services ("Effective Date").
WHEREAS, Business Associate will provide Covered Entity with those certain services ("Services") as more fully set forth in the applicable Subscription Agreement, Beta Test Customer Agreement relative to DOCPACE Insights, and/or the End User License Agreement relative to DrChat application, as more fully defined therein, as applicable, between Covered Entity and Business Associate of even date herewith (collectively the " Agreements"); and
WHEREAS, in order for Business Associate to provide the Services under the Agreements Covered Entity needs to disclose to Business Associate certain Protected Health Information ("PHI"); and
WHEREAS, Covered Entity has agreed to provide Business Associate with access to certain PHI to enable Business Associate to provide Services to Covered Entity; and
WHEREAS, Covered Entity and Business Associate are required to meet the requirements of the Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191 (the "Act"), the privacy standards adopted by the U.S. Department of Health and Human Services ("HHS") as they may be amended from time to time, 45 C.F.R. parts 160 and 164, subparts A and E ("Privacy Rule"), the security standards adopted by HHS as they may be amended from time to time, 45 C.F.R. parts 160, 162, and 164, subpart C (the "Security Rule"), and the Privacy provisions (Subtitle D) of the Health Information Technology for Economic and Clinical Health Act, Division A, Title XIII of Pub. L. 111-5, and its implementing regulations (the "HITECH Act"), due to their status as a "covered entity" or a "business associate" under the Act. The Act, the Privacy Rule, the Security Rule, and the HITECH Act are collectively referred to as "HIPAA" for the purposes of this Agreement; and
WHEREAS, the parties desire to enter into this Agreement to protect the privacy and provide for the security of PHI disclosed by Covered Entity to Business Associate and to satisfy certain requirements in compliance with HIPAA.
NOW, THEREFORE, in consideration of the mutual benefits of complying with laws and regulations stated above, Covered Entity and Business Associate agree as follows:
ARTICLE I.
DEFINITIONS
1.1. "Minimum Necessary" means the minimum amount of PHI necessary to accomplish the intended purpose of the use, disclosure, or request or the amount of PHI described and defined by HHS from time to time as "minimum necessary."
1.2. "Business Associate" refers to DOCPACE in its capacity as a "business associate," as that term is defined in 45 C.F.R. § 160.103.
1.3. "Subcontractor" means a subcontractor of Business Associate to whom Business Associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of Business Associate.
1.4. "Covered Entity" refers to the Covered Entity named above in its capacity as a "covered entity," as that term is defined in 45 C.F.R. § 160.103.
1.5. Other Terms. Capitalized terms not specifically defined in this Agreement shall have the meanings attributed to them under HIPAA.
ARTICLE II.
PRIVACY OF PROTECTED HEALTH INFORMATION
2.1. Permitted Uses & Disclosures.
(a) Business Associate may use or disclose PHI on behalf of, or provide services to, Covered Entity pursuant to the Agreements between Business Associate and Covered Entity or as Required by Law. Except for the specific uses or disclosures set forth in this Section 2.1, Business Associate may not use or disclose PHI in a manner that would violate the Privacy Rule if done by Covered Entity. Business Associate shall limit its use, disclosure or request of PHI, to the extent practicable, to a Limited Data Set or, if needed by Business Associate, to the Minimum Necessary.
(b) Business Associate may use or disclose PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate provided that, with respect to such disclosure, (i) the disclosure is Required by Law; or (ii) Business Associate obtains reasonable assurances from the person to whom the PHI is disclosed that it will be kept confidential and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and the person agrees to notify Business Associate of instances of which it is aware in which the confidentiality of the information has been breached.
(c) Business Associate may provide data aggregation services to Covered Entity relating to the Health Care Operations of Covered Entity.
(d) Business Associate may de-identify PHI and may aggregate, manipulate, use, disclose, sell, publish and distribute such de-identified health information and data provided that such de-identification is in accordance with HIPAA, including for purposes of providing Services to the Covered Entity.
2.2. Safeguards for the Protection of PHI. Business Associate shall use appropriate safeguards and comply with the applicable requirements of the Security Rule to prevent the use or disclosure of PHI other than provided for by this Agreement.
2.3. Reporting of Unauthorized Uses or Disclosures & Unauthorized Attempts to Use or Disclose.
(a) Breach and Other Privacy Rule Violations. Business Associate shall report to Covered Entity the use or disclosure of PHI not permitted by this Agreement, the Agreements, or that is in violation of HIPAA, including a Breach of unsecured PHI as required by 45 C.F.R. § 164.410, within ten (10) business days after the date on which Business Associate learns or should have learned of such occurrence. In its report to Covered Entity, Business Associate will identify, at a minimum (i) the nature of the non-permitted use or disclosure; (ii) the PHI used or disclosed; (iii) the party or parties who made the non-permitted use or received the non-permitted disclosure; (iv) what corrective action Subcontractor took or will take to prevent further non-permitted uses or disclosures; (v) what Subcontractor did or will do to mitigate harmful effects of the non-permitted use or disclosure; (vi) such other information, including a written report, as Covered Entity may request; and (vii) such other information as HHS may prescribe by regulation.
(b) Security Incidents. Business Associate shall report all Security Incidents to Covered Entity, in accordance with the following reporting procedures for (i) Security Incidents that result in unauthorized access, use, disclosure, modification or destruction of electronic PHI ("ePHI") or interference with system operations ("Successful Security Incidents"); and (ii) Security Incidents that do not result in unauthorized access, use, disclosure, modification or destruction of ePHI or interference with system operations ("Unsuccessful Security Incidents").
i. Successful Security Incidents. Business Associate shall provide notice to Covered Entity of a Successful Security Incident of which it becomes aware within three (3) business days. At a minimum, such report shall contain the following information: (A) date and time when the Security Incident occurred and/or was discovered; (B) names of systems, programs, or networks affected by the Security Incident; (C) preliminary impact analysis; (D) description of and scope of ePHI used, disclosed, modified, or destroyed; and (E) mitigation steps taken by Business Associate.
ii. Unsuccessful Security Incidents. To avoid unnecessary burden on either party, Business Associate shall report to Covered Entity any Unsuccessful Security Incident of which it becomes aware only upon request of Covered Entity. The frequency, content and the format of the report of Unsuccessful Security Incidents shall be mutually agreed upon by the parties. If the definition of "Security Incident" is amended under the Security Rule to remove the requirement for reporting "unsuccessful" attempts to use, disclose, modify or destroy ePHI, then this Section 2.5(b)(ii) shall no longer apply as of the effective date of such amendment.
2.4. Use of Subcontractors. To the extent that Business Associate uses one or more Subcontractors to perform its obligations under an agreement with Covered Entity and such Subcontractors create, receive, maintain or transmit PHI on behalf of Business Associate, Business Associate shall cause each such Subcontractor to agree to comply with the applicable provisions of the Security Rule and to agree to the same restrictions, conditions and requirements that apply to the Business Associate with respect to such PHI.
2.5. Authorized Access to PHI. To the extent that Business Associate maintains PHI in a Designated Record Set, Business Associate shall provide Covered Entity with access to such PHI in accordance with Covered Entity's written request no later than twenty (20) business days after receipt of such written request by Covered Entity pursuant to 45 CFR § 164.524.
2.6. Amendment to PHI. To the extent that Business Associate maintains PHI in a Designated Record Set, Business Associate shall amend such PHI in accordance with Covered Entity's written request no later than thirty (30) business days after receipt of such request by Covered Entity pursuant to 45 CFR § 164.526.
2.7. Accounting of Disclosures of PHI.
(a) Disclosure Tracking. Business Associate shall retain a record of each disclosure of PHI that Business Associate makes to a third party to the extent required by HIPAA, including (i) the disclosure date; (ii) the name and (if known) address of the person or entity to whom Business Associate made the disclosure; (iii) a brief description of the PHI disclosed; and (iv) a brief statement of the purpose of the disclosure.
(b) Disclosure Accounting. Business Associate shall provide an accounting of disclosure of PHI to Covered Entity (or to an individual, as so directed by Covered Entity) (i) no later than thirty (30) calendar days after receipt of a written request for such disclosure accounting by Covered Entity pursuant to 45 C.F.R. 164.528, or (ii) in accordance with HIPAA.
2.8. Performance of Obligation of Covered Entity. To the extent Business Associate is to carry out an obligation of Covered Entity under the Privacy Rule, Business Associate shall comply with the requirements of the Privacy Rule that apply to Covered Entity in performance of such obligation.
2.9. Inspection of Books and Records. Business Associate shall make its internal practices, books, and records, relating to the use and disclosure of all such PHI, available to HHS to determine the Covered Entity's compliance with HIPAA.
2.10. Obligations of Covered Entity. Covered Entity shall notify Business Associate of any restriction on the use or disclosure of PHI to which Covered Entity has agreed in accordance with the relevant provisions of HIPAA, to the extent that such restriction may affect Business Associate's use or disclosure of PHI. In addition, Covered Entity shall notify Business Associate of changes in, or revocation of, permission by an individual to use or disclose such individual's PHI to the extent that such change may affect Business Associate's use or disclosure of PHI.
ARTICLE III.
TERM AND TERMINATION
3.1. Term. The term of this Agreement shall commence as of the Effective Date of this Agreement and shall continue in effect until terminated in accordance with Section 3.2.
3.2. Termination. This Agreement shall terminate upon the earlier to occur of: (i) termination of the Agreements, whichever is later, or (ii) receipt by Business Associate of Covered Entity's notice to terminate in the event Business Associate breaches a material term of this Agreement and fails to cure such breach to the reasonable satisfaction of Covered Entity after thirty (30) business days written notice of such breach.
3.3. Return or Destruction of PHI. Upon termination of the Agreement, Business Associate shall automatically return all PHI or copies thereof received from Covered Entity that Business Associate or its agents or Subcontractors still maintain in any form. Prior to the return of PHI to Covered Entity, Business Associate may submit to Covered Entity a written request for permission to destroy PHI, and such request may be approved or denied in the sole discretion of Covered Entity.
3.4. Continuing Privacy and Security Obligation. If return or destruction is infeasible, Business Associate or its agents or Subcontractors shall: (i) provide to Covered Entity notification of the conditions that make return or destruction infeasible; (ii) continue to extend the protections of this Agreement to such information; and (iii) limit further use of such PHI to those purposes that make the return or destruction of such PHI infeasible.
3.5. Survival. The obligations of Business Associate under this Article shall survive termination of this Agreement.
ARTICLE IV.
MISCELLANEOUS
4.1. Applicability. This Agreement shall be applicable to PHI received by Business Associate from Covered Entity or created or received by Business Associate on behalf of Covered Entity.
4.2. Amendments. The parties acknowledge that state and federal laws relating to data security and privacy are rapidly evolving and that amendment of this Agreement may be required to provide for procedures to ensure compliance with such developments. The parties specifically agree to take such action as is necessary to implement the standards and requirements of HIPAA and other applicable laws relating to the security or confidentiality of PHI.
4.3. No Third-Party Beneficiaries. Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than Covered Entity, Business Associate and their respective successors or assigns, any rights, remedies, obligations or liabilities whatsoever.
4.4. Conflicts. The terms and conditions of this Agreement will override and control any conflicting term or condition of any other agreements that may be in place between the parties. All non-conflicting terms and conditions of this Agreement and any other agreement between the parties remain in full force and effect.
4.5. Construction. This Agreement shall be construed as broadly as necessary to implement and comply with HIPAA. Ambiguity in this Agreement shall be resolved in favor of a meaning that complies with HIPAA.
4.6. Subpoenas. Each party shall provide written notice to the other party of any subpoena or other legal process it receives seeking PHI (a) received by Business Associate from Covered Entity; (b) created or received by Business Associate on behalf of Covered Entity; or (c) otherwise relating to Business Associate's services under the Agreements, respectively. Such written notice shall be provided within forty-eight (48) hours of receipt of a subpoena or other legal process.
4.7. Notices. All notices required to be given to the Covered Entity under this Agreement will be in writing and sent by traceable carrier to such party's address indicated in the Order. Business Associate acknowledges DOCPACE Intellectual Property including but not limited to that described in U.S. Pat. No. 11282041 (and any continuations or divisional applications thereof). Notices to the Business Associate shall be given to it at the following address:
BUSINESS ASSOCIATE: DOCPACE, Inc.
111 Veterans Memorial Blvd., STE 250
Metairie, LA 70005
A party may change its address for the giving of notices by at least ten (10) business days' prior written notice to the other party. Notices will be effective upon receipt.
4.8. Counterparts. This Agreement may be executed in two or more counterparts and each such counterpart executed shall for all purposes be deemed an original, and all counterparts together shall constitute but one and the same instrument. The resulting instrument shall be binding upon all signatories hereof who sign below.
4.9. Governing Law. This Agreement shall be governed by and interpreted in accordance with the laws of the state of Delaware without giving effect to its conflicts of laws principles.