Business Associate Agreement – BAA

Appendix E: business associate agreement

This Business Associate Agreement (“BAA”) is entered into by and between Sponsor, on behalf of itself and as the plan sponsor and plan administrator for  its group health plans as applicable(collectively “Covered Entity”) and Personify Health, Inc. and Personify Health Holding Company, LLC, and its subsidiaries including Personify Health Solutions, LLC, and MedCom Care Management, L.L.C. as applicable, 7591 N. Ingram, Suite 105, Fresno, CA 93711, on behalf of itself and its affiliates (“Business Associate”) (collectively, the “Parties” or individually, a “Party”).

Whereas Business Associate renders health plan administration, wellness, and related services to Covered Entity under an existing written agreement (the “Agreement”), that may involve the use, disclosure and/or creation of certain Protected Health Information (“PHI”), as defined below; and

Whereas, the Parties desire to protect the privacy and security of any PHI transmitted to Business Associate in compliance with (i) the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) as amended by the Health Information Technology for Clinical Health (“HITECH”) Act, Title XIII of Division A and Title IV Division B of the American Recovery and Reinvestment Act of 2009, as set forth in Title 45, Parts 160, 162 and 164 of the Code of Federal Regulations (“CFR”), in each case only as of its applicable compliance date (the “Omnibus Regulations”) that apply to covered entities and business associates; and (ii)  the Privacy, Security, Breach Notification and Enforcement Rules at 45 CFR Part 160, Part 162, and Part 164, as further amended from time to time (“HIPAA Rules”).  

Now, therefore the Parties agree as follows:

  1. Term.  The term of this BAA (“Term”) shall be coterminous with the Agreement. This BAA supersedes and replaces any other agreement previously put in place between the Partiesgoverning PHI.
  2. Termination.  Without limiting any other rights of the Parties, if either Party materially fails to adhere to its obligations under this BAA, the other Party may terminate this BAA if such failure is not cured within thirty (30) calendar days.  Subject to Section 12, this BAA will automatically terminate upon termination or expiration of the Agreement.
  3. Definitions.  Capitalized terms used in this BAA without definition shall have the respective meanings assigned to such terms by HIPAA.“PHI” and “Electronic Protected Health Information” (“ePHI”) shall have the same meaning given to such terms in the HIPAA Rules, limited to such information created, received, maintained or transmitted to Business Associate by Covered Entity solely in its capacity as a Covered Entity.
  4. Use and Disclosure of PHI.  Business Associate may use and disclose PHI as permitted or required under the Agreement and this BAA or as required by law, and shall not otherwise use or disclose any PHI. Business Associate shall not use or disclose PHI received from Covered Entity in any manner that would constitute a violation of HIPAA if so used or disclosed by Covered Entity (except as set forth in Sections 4.1(a), (b) and (c) of this BAA). To the extent Business Associate carries out any of Covered Entity’s obligations under the HIPAA privacy standards, Business Associate shall comply with the requirements of HIPAA that apply to Covered Entity in the performance of such obligations. Without limiting the generality of the foregoing, Business Associate is permitted to use or disclose PHI as set forth below:
    1. Business Associate may use PHI internally for Business Associate’s proper management and administration or to carry out its legal responsibilities;
    1. Business Associate may disclose PHI to a third party for Business Associate’s proper management and administration, provided that the disclosure is Required by Law or Business Associate obtains reasonable assurances from the third party to whom the PHI is to be disclosed that the third party will (1) protect the confidentiality of the PHI, (2) only use or further disclose the PHI as required by law or for the purpose for which the PHI was disclosed to the third party and (3) notify Covered Entity of any instances of which the third party is aware in which the confidentiality of the PHI has been breached;
    1. Business Associate may use PHI to provide Data Aggregation services relating to the Health Care Operations of Covered Entity if required or permitted under the Agreement or this BAA; and
    1. Business Associate may use PHI to create de-identified health information in accordance with the HIPAA de-identification requirements. Business Associate may use and disclose de-identified health information for any purpose permitted by law.
  5. Safeguards.  Business Associate shall use appropriate administrative, technical, and physical safeguards, and where applicable, comply with the Security Rule with respect to ePHI, to prevent the use or disclosure of PHI and ePHI in a manner that would violate this BAA and to reasonably and appropriately protect the confidentiality, integrity and availability of ePHI that it creates, receives, maintains or transmits on behalf of Covered Entity. 
  6. Subcontractors. Business Associate shall enter into a written agreement meeting the requirements of 45 C.F.R. §§ 164.504(e) and 164.314(a)(2) with each Subcontractor (including, without limitation, a Subcontractor that is an agent under applicable law) that creates, receives, maintains or transmits PHI on behalf of Business Associate. Business Associate shall ensure that the written agreement with each Subcontractor obligates the Subcontractor to comply with restrictions and conditions that are at least as restrictive as the restrictions and conditions that apply to Business Associate under this BAA.
  7. Notification.  Business Associate shall report to the Covered Entity any Use or Disclosure of PHI not permitted by this BAA, including Breaches of Unsecured PHI and any Security Incident, of which Business Associate becomes aware without unreasonable delay, and in any event within ten (10) business days. Covered Entity acknowledges that Business Associate may be subject to any number of unsuccessful Security Incidents, including but not limited to, routine port scans or “pings” and other broadcast attacks on Business Associate’s firewall, unsuccessful log-on attempts, denial of service attacks, and any combination of the above (each an “Unsuccessful Security Incident”), as long as such Unsuccessful Security Incident does not result in unauthorized access, Use, Disclosure, destruction or modification of PHI or ePHI, Business Associate and Covered Entity agree that this BAA serves as notice of such Unsuccessful Security Incidents.
  8. Accounting of Uses or Disclosures.  Business Associate agrees to provide to Covered Entity, within twenty (20) business days of Business Associate’s receipt of a written request from Covered Entity, information collected in accordance with this BAA, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528.  If an Individual makes a request for an accounting of disclosures of PHI pursuant to 45 C.F.R. § 164.528 directly to Business Associate, or inquires about his or her right to an accounting of disclosures of PHI, Business Associate shall direct the Individual to Covered Entity.
  9. Access to Records.  To the extent Business Associate maintains a Designated Record Set on behalf of Covered Entity,  and upon confirming the identity of an Individual (or an Individual’s personal representative), Business Associate will respond to an Individual’s request for access to his or her PHI, if the request is communicated to Business Associate directly by the Individual in a manner and time frame consistent with requirements specified in 45 CFR § 164.524. In addition, upon receipt of a written request from Covered Entity, Business Associate will, unless the Covered Entity requests otherwise, respond on behalf of the Covered Entity to an Individual’s request to invoke a right of access under 45 CFR § 164.524 as if the access request had been communicated to Business Associate directly by the Individual. If Covered Entity requests that Business Associate not respond as provided in the foregoing sentence, then Business Associate will make available shall make available to Covered Entity such PHI.  
  10. Amendment of PHI.  To the extent Business Associate maintains a Designated Record Set on behalf of Covered Entity, and upon confirming the identity of an Individual (or an Individual’s personal representative), Business Associate will respond to an Individual’s request to amend any PHI if the request is communicated to Business Associate directly by the Individual. Despite the fact that the request is not made to the Covered Entity, Business Associate will respond to the request with respect to the PHI Business Associate maintains in a manner and time frame consistent with requirements specified in HIPAA and 45 CFR § 164.526. In addition, upon receipt of written request from Covered Entity, Business Associate will, unless Covered Entity requests otherwise, respond on behalf of Covered Entity to an Individual’s request to amend his or her PHI as if the amendment request had been communicated to Business Associate directly by the Individual. 
  11. Government Access to Records.  Business Associate agrees to make available its policies, books and records related to the use and disclosure of PHI to the Secretary of the U.S. Department of Health and Human Services or his or her designee for the purpose of determining whether Business Associate and/or Covered Entity is in compliance with HIPAA, subject to attorney-client and other applicable legal privileges.
  12. Disposition of Records upon Termination.  Except where Business Associate is required to retain certain PHI to comply with applicable laws, Business Associate agrees to destroy all PHI created, maintained or received under this BAA within ninety (90) days of termination of this BAA.  If such destruction of records is not feasible, or where Business Associate is required to retain certain PHI by applicable laws, Business Associate will continue to extend the protections of this BAA to such PHI and limit any further use of PHI to those purposes that require Business Associate to retain the PHI under applicable laws and/or purposes that make the destruction of the PHI infeasible. Covered Entity agrees that it is infeasible for Business Associate to destroy PHI reasonably needed to be retained by Business Associate for its own legal and risk management purposes and the protections in the BAA are extended to such information as set forth in Section 19 herein.
  13. Obligations of Covered Entity.
    1. Covered Entity shall provide Business Associate with the notice of privacy practices that Covered Entity produces in accordance with 45 CFR § 164.520, as well as any changes to that notice. Except as required by law, with Business Associate’s consent or as set forth in this BAA, Covered Entity shall not include any limitation in the Covered Entity’s notice of privacy practices that limits Business Associate’s use or disclosure of PHI under this BAA.
    1. Covered Entity shall promptly provide Business Associate with any changes in, or revocation of, permission by an individual (or an individual’s personal representative) to use or disclose PHI, if such changes affect Business Associate’s permitted or required uses and disclosures. Covered Entity shall not agree to any restriction on the use or disclosure of PHI under 45 C.F.R. § 164.522 that restricts Business Associate’s use or disclosure of PHI under this BAA unless such restriction is required by law or Business Associate grants its written consent, which consent shall not be unreasonably withheld.
    1. Covered Entity acknowledges that it shall provide to, or request from, the Business Associate only the minimum PHI necessary to perform or fulfill a specific function required or permitted hereunder.
    1. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy Rule if done by Covered Entity except as provided herein in accordance with 45 CFR §164.504(e).
    1. Covered Entity in performing its obligations and exercising its rights under this BAA shall use and disclose PHI in compliance with the HIPAA Rules.
  14. No Third-Party Beneficiaries. The Parties have not created and do not intend to create by this BAA any third-party rights, including, but not limited to, third party rights for Covered Entity’s members.
  15. Authorization to Receive PHI. Covered Entity shall provide to Business Associate a written list of the names of those individuals in its Workforce that are authorized to receive or access PHI on its behalf, and to provide reasonable prior written notice to Business Associate of any changes to such list.  In the absence of Covered Entity providing such list, Business Associate may assume, consistent with 45 CFR §164.504(f), that those individuals that are Participants of the Workforce of Covered Entity who request or receive PHI from Business Associate are performing plan administration activities for Covered Entity and are authorized to receive or access PHI on its behalf.
  16. Independent Contractor Status. The Parties acknowledge and agree that Business Associate is at all times acting as an independent contractor of Covered Entity and not as an agent or employee of Covered Entity under this BAA. Nothing in this BAA shall confer any right, remedy or obligation upon anyone other than Covered Entity and Business Associate.    
  17. General. In the event of any inconsistency between the provisions of this BAA and the Agreement, the provisions of this BAA shall control.  In the event of inconsistency between the provisions of this BAA and mandatory provisions of the Privacy Rule, the Security Rule or the HIPAA Final Rule, or their interpretation by any court or regulatory agency with authority over Business Associate or Covered Entity, such interpretation shall control; provided, however, that if any relevant provision of the Privacy Rule, the Security Rule or the HIPAA Final Rule is amended in a manner that changes the obligations of Business Associate or Covered Entity that are embodied in terms of this BAA, then the Parties agree to negotiate in good faith appropriate non-financial terms or amendments to this BAA to give effect to such revised obligations. 
  18. Indemnification and Limitation of Liability. The provisions in the Agreement with respect to damages, indemnification and any limitation of liability shall apply in equal respect to this BAA.
  19. Governing Law. This BAA is governed by, and shall be construed in accordance with, the laws of the State that govern the Agreement. 
  20. Severability. If any part of a provision of this BAA is found illegal or unenforceable, it shall be enforced to the maximum extent permissible, and the legality and enforceability of the remainder of that provision and all other provisions of this BAA shall not be affected. 
  21. Notices. All notices relating to the Parties’ legal rights and remedies under this BAA shall be provided in writing to a Party, shall be sent to its address set forth in the signature block below, or to such other address as may be designated by that Party by notice to the sending Party, and shall reference this BAA.
  22. Modification. This BAA may be modified, or any rights under it waived, only by a written document executed by the authorized representatives of both Parties. 
  23. Exclusive Agreement. This BAA is the complete and exclusive agreement between the Parties with respect to the subject matter hereof, superseding and replacing all prior agreements, communications and understandings (written and oral) regarding its subject matter.  

(Signature Page to Follow)

IN WITNESS WHEREOF, the Parties have executed this BAA as of the latest date of execution by the Parties.

By: Covered Entity: Sponsor on behalf of the Plan

 ____________________________________ (Signature)

____________________________________ (Print Name)

____________________________________ (Title)

____________________________________ (Date)

By: Business Associate

____________________________________ (Signature)

____________________________________ (Print Name)

____________________________________ (Title)

____________________________________ (Date)