Business Associate Agreement

To insure compliance with the HIPAA Privacy Rule, please fill out the form below and click Send. Aerolib will co-sign the document and send a hard copy of this agreement by return email.

 

If you have questions or wish to use your own BAA agreement form, please visit our Contact Us form.

All fields are required. A field is supplied at the end of the form for the user to SIGN the form using the Mouse Pointer.

    BUSINESS ASSOCIATE AGREEMENT

    This Subcontractor Privacy Agreement (“Agreement”) is made and entered into by and between User (collectively, “Contractor”) and Aerolib Healthcare Solutions LLC (“Subcontractor”) (each, a “Party” and collectively, the “Parties”).

    This Agreement is effective as of the date executed by Subcontractor on the signature page below or when Subcontractor obtains Protected Health Information (as defined below), from or on behalf of Contractor, if earlier (“Effective Date”).

    WHEREAS, Contractor and Subcontractor are parties to one or more agreements or arrangements pursuant to which Subcontractor performs certain services for Contractor (“Services Agreement”), and Subcontractor may access, use, disclose, transmit or maintain Protected Health Information in connection with the provision of such services to or on behalf of Contractor; and

    WHEREAS, the Parties are committed to compliance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and regulations promulgated thereunder, and any subsequent amendments or modifications to such regulations including those implementing the requirements of Subtitle D of Title XIII of the American Recovery and Reinvestment Act of 2009 (“HITECH Act”) and applicable state privacy and security laws and regulations (collectively, “HIPAA Rules”); and

    WHEREAS, Contractor qualifies as a “business associate” and Subcontractor as its “subcontractor” as such terms are defined under the HIPAA Rules; and

    WHEREAS, the HIPAA Rules require the Subcontractor to provide satisfactory assurances to Contractor regarding its handling of Protected Health Information, and this Agreement is intended to constitute such satisfactory assurances under the HIPAA Rules;

    NOW, THEREFORE, in consideration of the mutual covenants and conditions contained herein and the continued provision of PHI by Contractor to Subcontractor under the Services Agreement in reliance on this Agreement, the Parties agree as follows:

    1. Definitions. For purposes of this Agreement, the terms below will have the meanings given to them in this Section.
    1.1. Electronic PHI will mean any PHI maintained in or transmitted by “electronic media” as defined in 45 C.F.R. § 160.103.
    1.2. HITECH Act will mean the Health Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009, Public Law 111-005.
    1.3. Protected Health Information or PHI will have the same meaning as such term is defined in 45 CFR 160.103, limited to such information created, received, used, transmitted or stored for or on behalf of Contractor.
    1.4. Secure will mean to render unusable, unreadable or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary in the guidance issued under section 13402(h)(2) of the HITECH Act.
    Capitalized terms used but not otherwise defined herein shall have the same meaning as such terms are defined in the HIPAA Rules.

    2. Use and Disclosure of PHI.
    2.1. Subcontractor agrees to use and disclose PHI only as permitted by this Agreement or as Required By Law.
    2.2. Except as otherwise limited in this Agreement, Subcontractor may use or disclose PHI as necessary to provide the services set forth in the Services Agreement.
    2.3. Except as otherwise limited by this Agreement, Contractor authorizes Subcontractor to use the PHI in its possession as necessary for the proper management and administration of Subcontractor’s business and to carry out its legal responsibilities. Subcontractor may disclose PHI as necessary for its proper management and administration or to carry out its legal responsibilities, only when:
    A. such disclosures are required by law; or
    B. Subcontractor obtains, in writing, prior to making any disclosure to a third party
    a. reasonable assurances from such third party that the PHI will be held confidential as provided under this Agreement and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to such third party; and
    b. an agreement from such third party to notify Subcontractor (which shall in turn notify Contractor) immediately of any breaches of the confidentiality of the PHI, to the extent it has knowledge of such breach.
    2.4. Contractor authorizes Subcontractor to (i) De-Identify PHI for the purposes specified in Sections 2.2 and 2.3; and (ii) De-identify PHI when performing Data Aggregation services with respect to the PHI, so long as the use of the de-identified data is limited to the scope of this project.
    2.5. Subcontractor will not use or disclose PHI in a manner other than as provided in this Agreement and only if permitted under the HIPAA Rules. Subcontractor will not use or disclose PHI in any manner that would violate applicable laws or regulations, including, without limitation, the HIPAA Rules, if done by Contractor. Subcontractor will use or disclose PHI, to the extent practicable, as a Limited Data Set or limited to the minimum necessary to carry out the intended purpose of the use or disclosure, in accordance with 45 C.F.R. 164.502(b), and any guidance issued by the Secretary for each use or disclosure of PHI hereunder.
    2.6. Upon request, Subcontractor will make available to Contractor any PHI that Subcontractor, or any of its subcontractors or agents, have in their possession.

    3. Safeguards Against Misuse of PHI.
    Subcontractor will comply with the HIPAA Security Regulations at 45 CFR Parts 160 and 164, Subpart C, including but not limited to, the implementation of administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, availability, and integrity of the Electronic PHI, and will use appropriate safeguards to prevent the use or disclosure of all PHI other than as provided by this Agreement. Subcontractor agrees to take reasonable steps to ensure that the actions or omissions of its employees, subcontractors or agents do not cause Subcontractor to breach the terms of this Agreement. Subcontractor agrees, to the extent practicable, to secure all Protected Health Information at rest, in motion or in use. Without limiting the foregoing, Contractor agrees in all cases to Secure all electronic Protected Health Information in motion and all electronic Protected Health Information placed or stored on portable devices.

    4. Reporting Disclosures of PHI and Security Incidents.
    Subcontractor will report to Contractor’s Privacy Officer in writing (1) any use or disclosure of PHI not provided for by this Agreement; or (2) any Security Incident affecting Electronic PHI (each of (1) and (2), an “Incident”) within two (2) business days of discovery (within the meaning of 45 CFR 164.410) thereof. Within five (5) calendar days after discovery of an Incident, Subcontractor will provide the information concerning the Incident as required by 45 CFR 164.410(c), and other information reasonably required by Contractor to determine whether a Breach has occurred, including Subcontractor’s own risk assessment to determine whether a Breach has occurred. If such information is not available to Subcontractor at the time the Incident is required to be reported to Contractor, Subcontractor shall provide such information to Contractor promptly as it becomes available. Subcontractor shall maintain complete records regarding the Incident or actual Breach for the period required by 45 CFR 164.530(j) or such longer period required by state law, and shall make such records available to Contractor promptly upon request. Except to the extent that an Incident is caused by the gross negligence or willful misconduct of Contractor, Subcontractor shall be responsible for all costs incurred in connection with an Incident, including, but not limited to, any notifications and mitigation activities that Contractor or its clients determine to be necessary or appropriate, Subcontractor shall notify Contractor of any Incidents within two (2) business days of discovery. Contractor agrees to notify Subcontractor immediately of any known or suspected breach of security that affects Protected Health Information.

    5. Mitigation.
    Subcontractor will mitigate, to the extent practicable, any harmful effect that is known to Subcontractor of any use or disclosure of PHI by Subcontractor or its agents or subcontractors in violation of the requirements of this Agreement.

    6. Agreements with Agents or Subcontractors.
    Subcontractor will ensure that any agent or subcontractor that has access to or to which Subcontractor provides PHI agrees in writing to the restrictions and conditions concerning uses and disclosures of PHI contained herein, and agrees to implement reasonable and appropriate safeguards to protect any Electronic PHI. Contractor warrants that its staff accessing the Subcontractor’s SaaS software have received HIPAA training and remain current in their training requirements.

    7. Access to PHI by Individuals.
    7.1. Upon request, Subcontractor agrees to furnish Contractor with copies of the PHI maintained by Subcontractor in pdf format that mirrors a Designated Record Set, in accordance with 45 CFR 164.524 in the time and manner designated by Contractor, but Contractor must verify to Subcontractor each request from an Individual as dictated by CFR 164.524.
    7.2. In the event any Individual or personal representative requests access to the Individual’s PHI directly from Subcontractor, Subcontractor will forward that request to Contractor within ten (10) business days of receipt thereof. This provision shall only apply so long as requests do not exceed fifty (50) per month. Subcontractor shall not respond to such request unless directed to do so by Contractor.

    8. Amendment of PHI. The parties acknowledge and agree that Contractor controls what PHI is entered into Subcontractor’s software, and therefore, that Contractor maintain the contents of the Designated Record Set on Subcontractor’s system. Subcontractor agrees (i) to allow Contractor access to such Designated Record Set at all times so that Contractor may make amendments to an Individual’s Designated Record Set in accordance with 45 CFR 164.526, and (ii) not to make, or attempt to make, any changes to the PHI entered by Contractor into Subontractor’s software.

    9. Accounting of Disclosures.
    9.1. Subcontractor will document any disclosures of PHI made by it, except for disclosures excepted under 45 C.F.R. § 164.528(a). Subcontractor also will make available information related to such disclosures as would be required for Contractor or its clients to respond to a request for an accounting of disclosures in accordance with 45 C.F.R. § 164.528. At a minimum, Subcontractor will furnish Contractor the following with respect to any accountable disclosures by Subcontractor: (i) the date of disclosure of PHI; (ii) the name of the entity or person who received PHI, and, if known, the address of such entity or person; (iii) a brief description of the PHI disclosed; and (iv) a brief statement of the purpose of the disclosure which includes the basis for such disclosure.
    9.2. Subcontractor hereby agrees to implement an appropriate recordkeeping system to enable it to comply with the requirements of this Section.
    9.3. Subcontractor will furnish to Contractor information collected in accordance with this Section, in the time and manner designated by the Contractor, to permit Contractor or a client of Contractor to make an accounting of disclosures as required by 45 C.F.R. § 164.528.
    9.4. In the event an individual delivers the request for an accounting directly to Subcontractor, Subcontractor will forward such request to Contractor within ten (10) business days of receipt thereof. Subcontractor shall not respond to such request unless directed to do so by Contractor.

    10. Availability of Books and Records. Subcontractor will make available its policies and procedures relating to the use and disclosure of PHI to Contractor and, upon request, to the Secretary for purposes of determining compliance with the HIPAA Rules and this Agreement. Notwithstanding the foregoing, prior to any such disclosure to the Secretary or any other federal or state agency.

    11. Fundraising and Marketing. Without limiting the restrictions on use or disclosure set forth in this Agreement, Subcontractor can use or disclose deidentified PHI for fundraising or marketing purposes. Further, other than remuneration received from Contractor pursuant to the Other Agreement(s), Subcontractor will not receive any remuneration for its use or disclosure of PHI without prior written consent of Contractor.

    12. Delegation. To the extent Subcontractor carries out one or more obligation(s) for Contractor that Contractor has undertaken on behalf of covered entities under Subpart E of 45 CFR Part 164, Subcontractor agrees to comply with the requirements of Subpart E that apply to the covered entities in the performance of such obligation(s).

    13. Obligations of Contractor.
    13.1. Contractor will notify Subcontractor of any restriction to the use or disclosure of PHI and/or any confidential communication requests that Contractor has agreed to in accordance with 45 C.F.R. § 164.522, to the extent that such restriction affects Subcontractor’s use or disclosure of PHI. Subcontractor agrees to comply with such restrictions and/or confidential communication requests promptly upon receipt.
    13.2. Contractor will notify Subcontractor of any changes in, or revocation of, permission by an Individual to use or disclose PHI to the extent that such changes may affect Subcontractor’s use or disclosure of PHI and to the extent that Contractor is made aware of such changes.

    14. Injunctive Relief.
    The parties agree that the remedies at law for a breach by it of the terms of this Agreement may be inadequate and that monetary damages resulting from such breach may not be readily measured. Accordingly, in the event of a breach by either party of the terms of this Agreement, the other party shall be entitled to immediate injunctive relief. Nothing herein shall prohibit either party from pursuing any other remedies that may be available to either to them for such breach.

    15. Indemnification. Contractor will indemnify and hold harmless Subcontractor and any of its officers, directors, employees, or agents from and against any claim, cause of action, liability, damage, cost or expense, including reasonable attorneys’ fees and court or proceeding costs, arising out of or in connection with any breach of the terms of this Agreement by Subcontractor, any Breach of Protected Health Information under the control of Subcontractor or its agents or subcontractors, or any failure to perform its obligations under this Agreement by Subcontractor, its officers, employees, agents or any person or entity under Subcontractor's direction or control.

    16. Term and Termination.
    16.1. This Agreement will become effective on the Effective Date and will continue in effect until termination of the Services Agreement.
    16.2. Contractor may terminate immediately this Agreement and the Services Agreement if the Contractor makes a determination that the Subcontractor has breached a material term of this Agreement and that cure is not possible. Alternately, if Contractor determines that cure is possible, Contractor may allow Subcontractor thirty (30) calendar days to cure such breach and may terminate this Agreement and the Services Agreement immediately upon expiration of the 30-day cure period if Subcontractor has failed to cure that material breach, to Contractor’s reasonable satisfaction, within such thirty (30) day cure period.
    16.3. Upon termination of the Services Agreement for any reason, all PHI maintained by Subcontractor and its subcontractors will be returned to Contractor or, at Contractor’s election, destroyed by Subcontractor and its subcontractors. Subcontractor will not retain any copies of such information. This provision will apply to PHI in the possession of Subcontractor’s subcontractors and agents. If return or destruction of the PHI is not feasible in Subcontractor’s reasonable judgment, Subcontractor will furnish Contractor notification, in writing, of the conditions that make return or destruction infeasible. Upon mutual agreement of the Parties that return or destruction of the PHI is infeasible, Subcontractor will extend the protections of this Agreement to such information for as long as Subcontractor retains such information and will limit further uses and disclosures to those purposes that make the return or destruction of the information not feasible. This Section 16.3 will survive any termination of this Agreement.

    17. Miscellaneous.
    17.1. Conflicts. This Agreement is a part of and subject to the terms of the Services Agreement, except that to the extent any terms of this Agreement conflict or are inconsistent with any term of the Services Agreement, the terms of this Agreement will govern. In the event of inconsistency between the provisions of this Agreement and mandatory provisions of the HIPAA Rules, or their interpretation by any court or regulatory agency of competent authority and jurisdiction over either Party hereto, the terms of the HIPAA Rules, as interpreted by such court or agency, will control. Where the provisions of this Agreement are different from those mandated in the HIPAA Rules, but are nonetheless permitted by such rules as interpreted by courts or agencies, the provisions of this Agreement will control. In the event of any conflict or inconsistency between the terms of this Agreement and the terms of any non-disclosure agreement between the parties, the more restrictive terms will control.
    17.2. Third Party Rights. Except as expressly stated herein or as provided by law, this Agreement will not create any rights in favor of any third party.
    17.3. Survival. This Agreement restates and supersedes any other subcontractor privacy agreements and business associate agreements or the like in effect between the parties hereto. This Section and Sections 3, 4, 14, 15, and 16.3 of this Agreement shall survive termination of the Services Agreement and this Agreement.
    17.4. Regulatory References. A reference in this Agreement to a section in HIPAA means the section as in effect or as amended.
    17.5. Notices. All notices, requests and demands or other communications to be given hereunder to a Party will be made via first class mail, registered or certified or express courier to such Party’s address given below, and/or via facsimile to the facsimile telephone numbers listed below:
    Aerolib Healthcare Solutions LLC
    2770 Main Street, Suite 233
    Frisco, Texas 75034
    Attention: General Counsel

    17.6. Amendments; Waiver. This Agreement may not be modified, nor will any provision be waived or amended, except in writing duly signed by authorized representatives of the Parties. The Parties agree to modify this Agreement from time to time as the Parties reasonably determine is necessary for Contractor and Subcontractor to comply with the HIPAA Rules. A waiver with respect to one event will not be construed as continuing, or as a bar to or waiver of any right or remedy as to subsequent events.

    17.7. Counterparts. This Agreement and any current or future Exhibits attached hereto may be executed in one or more counterparts, each of which will be deemed an original, but all of which together will constitute one and the same document. In making proof of this Agreement, it will not be necessary to produce or account for more than one such counterpart executed by the party against whom enforcement of this Agreement is sought. The Parties agree that any electronic version of a fully executed document will be deemed an original.

    17.8. Ownership of Data. All Protected Health Information shall, as between the parties to this Agreement, at all times be and remain the sole property of Contractor or the applicable Covered Entities for which Contractor serves as a business associate, and Subcontractor shall not have or obtain any rights therein except to use and disclose such information for the purposes stated herein. Subcontractor, however, shall continue to own its intellectual property.

    17.9. Relationship of Parties. It is expressly agreed that Subcontractor, its divisions, and its affiliates, including its employees and subcontractors, are performing the services under this Agreement and the Services Agreement as independent contractors for Contractor. Neither Subcontractor nor of its affiliates, officers, directors, employees or subcontractors is an employee or agent of Contractor. Nothing in this Agreement shall be construed to create (i) a partnership, joint venture or other joint business relationship between the parties or any of their affiliates, or (ii) an agency relationship for purposes of the HIPAA Rules.

    IN WITNESS WHEREOF, the parties hereto, intending to be legally bound, have caused this agreement to be duly executed as of the day and year first hereinabove written

    SIGNED (use your mouse pointer to sign here):