S7Labs LLC Business Associate Agreement

This Business Associate Agreement (“Agreement”) is entered into by and between S7Labs LLC, DBA Medwriter (“Business Associate”) and the entity that is using the service and agreeing to the terms of this BAA (“Covered Entity”) (individually, a “Party” and collectively, the “Parties”). The effective date (“Effective Date”) of this Agreement shall be the date that the Covered Entity begins using the Service.

WHEREAS Covered Entity and Business Associate have entered into a certain agreement for services (“Services”) whereby Business Associate provides or assists Covered Entity with a function or activity that may involve the use or disclosure of protected health information (PHI) (hereinafter the “Services Agreement”);

WHEREAS, both Parties desire to comply with the requirements of the Health Insurance Portability and Accountability Act of 1996 as amended by the American Recovery and Investment Act of 2009 (“HIPAA”), and implementing regulations which are codified at 45 C.F.R. Part 160, 162 and 164, as such regulations may be amended from time to time and the Health Information Technology for Economic and Clinical Health Act, as incorporated in the American Recovery and Reinvestment Act of 2009 and implementing regulations and guidance issued by the Secretary, all as may be amended from time to time (“HITECH”) (collectively referred to hereinafter as the “HIPAA Standards”); and

WHEREAS, such HIPAA Standards require Covered Entity to enter into a Business Associate Agreement with its Business Associates that provide or assist Covered Entity with a function or activity which may involve the use or disclosure of protected health information (“PHI”); 

WHEREAS, Covered Entity and Business Associate agree to enter into this Business Associate Agreement (“BAA”) to ensure compliance with the HIPAA Standards including the amendments thereto set forth in HITECH Act and any applicable state laws and 

THEREFORE, in consideration of the Parties’ continuing obligations to each other, compliance with the HIPAA Security and Privacy Rules and the HITECH Act, and other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the Parties agree to the provisions of this Agreement.  

1.  DEFINITIONS.`

The following terms used in this Agreement shall have the same meaning as those terms in the HIPAA Standards: Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Minimum Necessary, Protected Health Information (PHI), Required By Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use. Capitalized terms used in this Agreement, but not otherwise defined, shall have the same meaning as those terms in the HIPAA Standards, as they apply to Business Associate Agreements. 

In the event of an inconsistency between the provisions of this Agreement and mandatory provisions of the HIPAA Standards, the HIPAA Standards in effect at the time shall control.  Where provisions of this Agreement are different than those mandated by the HIPAA Standards, but are nonetheless permitted by such regulations, the provisions of this Agreement shall control. Any reference herein to the HIPAA Standards or other federal or state regulation shall be a reference to such rule or regulation as in effect or as subsequently updated, amended or modified

2. OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE

1. Use or Disclosure. Business Associate agrees to not use or further disclose PHI other than to perform the services set forth in the Service Agreement, as expressly permitted or required by this Business Associate Agreement or as Required By Law.
2. Safeguards and Compliance with the HIPAA Security Regulations.  Business Associate agrees to use appropriate, commercially reasonable safeguards to prevent the use or disclosure of PHI other than as provided for by this Agreement.
3. Mitigation. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this Agreement.
4. Reporting. Business Associate agrees to report to Covered Entity within thirty (30) business days from the date Business Associate knew or reasonably should have known, any of the following:
   
   (1) Any use or disclosure of PHI not permitted by this Agreement of which Business Associate becomes aware.
   
   (2) Any Security Incident of which Business Associate becomes aware.
   
   (3) The discovery of a Breach of Unsecured PHI.
   
   For purposes of this Agreement, “Security Incident” shall mean the successful unauthorized access, use, disclosure, modification or destruction of PHI. The Parties acknowledge and agree that this Section 2.d constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined herein) for which no additional notice is required.  “Unsuccessful Security Incidents” shall include, but not be limited to, pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denials of service, malware such as worms or viruses and any combination of the above, so long as such incidents do not result in unauthorized access, use or disclosure, modification or destruction of PHI.
   
   
5. Business Associates and Agents.  To the extent applicable, Business Associate shall ensure that any subcontractors that create, receive, maintain, or transmit PHI belonging to Covered Entity on behalf of Business Associate agree in writing to substantially the same, but no less stringent conditions, restrictions, and requirements that apply to the Business Associate with respect to such PHI;
6. Access to PHI.  In the event Business Associate maintains Protected Health Information in a Designated Record Set, Business Associate agrees to provide access to PHI in such Designated Record Set to Covered Entity, within fifteen (15)  business days of Covered Entity’s written request in order to meet the requirements under 45 CFR § 164.524.  In the event any individual requests access to PHI directly from Business Associate, Business Associate shall promptly notify Covered Entity of such request so that Covered Entity can respond directly to such individual in accordance with 45 C.F.R. § 164.524.  Any denials of access to the PHI requested by an individual shall be the responsibility of Covered Entity.  
7. Amendment of PHI.  Upon receipt of a written request by Covered Entity for the amendment of an individual’s PHI or record contained in a Designated Record Set (for so long as the PHI is maintained in the Designated Record Set), Business Associate shall provide such information to Covered Entity for amendment, within thirty (30) business days of receipt of such written request from Covered Entity, and if applicable, incorporate any such amendments to such PHI as required by 45 C.F.R. §164.526. In the event any individual requests amendment to PHI directly from Business Associate, Business Associate shall notify Covered Entity of such request so that Covered Entity can respond directly to such individual in accordance with 45 C.F.R. § 164.526.
8. Records.  Business Associate shall make its internal practices, books, and records relating to the Use and Disclosure of PHI received from, or created or received by Business Associate on behalf of, Covered Entity available to the Secretary upon written request, subject to attorney-client and other applicable legal privileges, for purposes of determining compliance with the HIPAA Standards. 
9. Documentation of Disclosures. To the extent applicable, Business Associate agrees to document Disclosures of PHI and information related to such Disclosures as required for Covered Entity to respond to a request by an Individual for an accounting of Disclosures in accordance with 45 CFR §164.528. 
10. Accounting of Disclosures. Within thirty (30) days of receipt of written notice from the Covered Entity that Covered Entity has received a request by an individual for an accounting of disclosures of PHI, Business Associate agrees to provide to the Covered Entity such information as necessary for Covered Entity to satisfy its obligations under 45 C.F.R. §164.528.
11. Prohibition on Sale of PHI.  Business Associate agrees to comply with the prohibition of sale of PHI without authorization unless an exception under 45 C.F.R. § 164.508 applies. This prohibition shall not affect payment by Covered Entity to Business Associate, if any, for services provided by Business Associate to Covered Entity under this Agreement.
12. Minimum Necessary Use and Disclosure.  In conducting functions and/or activities under this Agreement that involve the use and/or disclosure of PHI, Business Associate agrees to limit the use and/or disclosure of PHI to the minimum amount of information necessary to accomplish the intended purpose of the use or disclosure.  

3. PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE

1. General Use and Disclosure Provisions. Except as otherwise limited in this Agreement, Business Associate may use or disclose PHI in connection with its performance of the Services if such use or disclosure of PHI would not violate the HIPAA Standards if done by Covered Entity or such use or disclosure is expressly permitted under Section 3.b (“Specific Use and Disclosure Provisions”) of this Agreement.
2. Specific Use and Disclosure Provisions.

1. Except as otherwise limited in this Agreement, Business Associate may use and disclose PHI for the proper management and administration of the Business Associate or to meet its legal responsibilities; provided, however, that such PHI may only be disclosed for such purposes only if the disclosures are required by law or the Business Associate obtains certain reasonable assurances from the person to whom the information is disclosed.  The required reasonable assurances are that:

1. the information will remain confidential;
2. the information will be used or further disclosed only as required by law or for the purpose for which the information was disclosed to the person; and 
3. the person will notify Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.   

1. Business Associate may use and disclose PHI to report violations of law to appropriate Federal and State authorities, consistent with 45 C.F.R. §164.502(j)(1).
2. Data Aggregation.  Business Associate may provide data aggregation services relating to the health care operations of the Covered Entity as permitted by 45 CFR § 164.504(e)(2)(i)(B).
3. De-Identification.  Business Associate may de-identify Protected Health Information, provided that such de-identification is performed in accordance with 45 CFR § 164.514(b). The parties agree that such de-identified information is no longer deemed PHI under the HIPAA Standards.

4. OBLIGATIONS OF COVERED ENTITY

1. Covered Entity shall provide Business Associate with a copy of its Notice of Privacy Practices that Covered Entity produces in accordance with 45 C.F.R. § 164.520, and shall promptly notify Business Associate in writing of any changes to such Notice of Privacy Practices to the extent such changes may affect Business Associate’s Use or Disclosure of PHI.
2. Covered Entity shall promptly notify Business Associate in writing of any changes in, or revocation of, permission by Individual to use or disclose PHI, if and to the extent such changes affect Business Associate's permitted or required uses and disclosures of PHI.
3. Covered Entity shall promptly notify Business Associate in writing of any restriction to the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by in accordance with 45 C.F.R. § 164.522, if and to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.
4. Covered Entity shall not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under Subpart E of 45 CFR Part 164 if done by Covered Entity.
5. To the extent applicable, Covered Entity shall obtain any consent, authorization, or permission that may be required by the Privacy Rule or other applicable federal or state laws and regulations before disclosing to Business Associate the Protected Health Information pertaining to an Individual.
6. To the extent permitted by law, Covered Entity shall indemnify, defend, and hold harmless Business Associate from any and all liability, claim, penalty, lawsuit, actual and direct loss, expense or damage resulting from or relating to the acts or omissions Covered Entity in connection with its representations, duties, and obligations under this BAA. 

5.  TERM AND TERMINATION

1. Term.  This Agreement shall continue in effect until the later of (a) termination or expiration of the underlying Services Agreement or (b) when all of the PHI provided by Covered Entity to Business Associate or created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity is destroyed or returned to Covered Entity in accordance with Section 5(c) below.
2. Termination for Cause. Upon either Party’s knowledge of a material breach by the other Party, the terminating Party shall notify the other Party in writing and provide an opportunity for the breaching Party to cure the breach or end the violation within thirty (30) days of such notice, and terminate this Agreement if the breaching Party does not cure the breach or end the violation within the time specified. If a cure is not reasonably possible, the terminating Party may immediately terminate this Agreement and any such other agreement upon its knowledge of the material breach, upon written notice to the other Party.
3. Effect of Termination. Upon termination of this Agreement for any reason, Business Associate shall return or destroy (as directed by Covered Entity) all PHI received from Covered Entity or created or received by Business Associate or any Subcontractor on behalf of Covered Entity and neither Business Associate nor any Subcontractor shall retain copies of the PHI.   In the event Business Associate determines that returning or destroying (as directed by Covered Entity) the PHI is infeasible, Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI. 

6.  MISCELLANEOUS 

1. No Third-sParty Beneficiaries.  There are no intended third party beneficiaries to this Agreement.  Without in anyway limiting the foregoing, it is the parties’ specific intent that nothing contained in this Agreement give rise to any right or cause of action, contractual or otherwise, in or on behalf of any Individual whose PHI is used or disclosed pursuant to this Agreement.
2. Relationship of the Parties.  In the performance of the work, duties and obligations described in this Agreement or in any other agreement between the parties, the parties acknowledge and agree that each party is at all times acting and performing as an independent contractor and at no time shall the relationship between the parties be construed as a partnership, joint venture, employment, principal/agent relationship, or master/servant relationship.
3. Interpretation.  Any ambiguity in this Business Associate Agreement shall be resolved in favor of a meaning that permits the Parties to comply with the HIPAA Standards.
4. Amendment.  This Business Associate Agreement shall only be amended or modified upon written consent of the Parties.  The Parties agree to take such action as is necessary to amend this Agreement from time to time as necessary for compliance with the requirements of the HIPAA Standards and any other applicable law.
5. Severability.  If any provision of this Business Associate Agreement shall be declared invalid or illegal for any reason whatsoever, then notwithstanding such invalidity or illegality, the remaining terms and provisions of this Business Associate Agreement shall remain in full force and effect in the same manner as if the invalid or illegal provision had not been contained herein, and such invalid, unenforceable or illegal provision shall be valid, enforceable and legal to the maximum extent permitted by law. 
6. Governing Law.  The validity, interpretation, and performance of this Agreement, shall be construed in accordance with the laws of the state where the Covered Entity is located, without reference to its conflict of laws principles.
7. Notices.  Any notice or other communication given pursuant to this Business Associate Agreement must be in writing and (i) delivered by hand, (ii) delivered by overnight express, or (iii) sent by registered or certified mail, postage prepaid, to the address set forth above and shall be considered given upon delivery.
8. Prior Agreements. This Agreement supersedes and terminates all prior agreements (with the exception of any existing Services Agreement, whether written or oral, to which the Parties or any of them are also parties concerning its subject matter, and as of the execution of this Agreement, none of such other agreements shall any longer have any force or effect. This Agreement and any Services Agreement previously executed between the Parties contains the entire understanding of the Parties with respect to the subject matter of this Agreement, and the terms of this Agreement are contractual and not a mere recital.
9. Modification. No addition or modification to this Agreement shall be valid unless made in writing and signed by both parties.

Waiver. No change, waiver or discharge of any liability or obligation hereunder on any one or more occasions shall be deemed a waiver of performance of any continuing or other obligation, or shall prohibit enforcement of any obligation, on any other occasion.

The Parties understand and execute this Agreement and agree to be bound by its terms as of the Effective Date first set forth above.