Kepler's Business Associate Agreement

BUSINESS ASSOCIATE AGREEMENT

This BUSINESS ASSOCIATE AGREEMENT (the “Agreement”), effective ____________ (“Effective Date”), is entered into by and between _______________________, (“Business Associate”) and ___________________________, (“Covered Entity”), in accordance with the definitions provided by 45 CFR §164.501. The Covered Entity and Business Associate are each referred to as “Party” and, collectively as the “Parties”.

WHEREAS the Covered Entity or Business Associate are defined under the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, as amended by the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”)  and the related regulations promulgated by the U.S. Department of Health and Human Services (“HHS”) (collectively, “HIPAA”) and, as such, are required to comply with HIPAA’s provisions regarding the confidentiality and privacy of Protected Health Information (“PHI”).

WHEREAS, Business Associate has an arrangement to provide services (“Services”) on behalf of organizations identified as a Covered Entities under 45 CFR §160.103. 

WHEREAS, in the course of providing the Services, Business Associate will have access to information that may be deemed PHI subject to the provisions of HIPAA.

WHEREAS Parties are committed to complying with all federal and state laws governing the confidentiality and privacy of health information, including, but not limited to, the Standards for Privacy of Individually Identifiable Health Information found at 45 CFR Part 160 and Part 164, Subparts A and E (collectively, the “Privacy Rule”).

WHEREAS Parties intend to protect the privacy and ensure for the security of PHI disclosed to Business Associate pursuant to the terms of the Agreement, HIPAA and other applicable laws.

NOW THEREFORE, in consideration of the mutual promises set forth in the Agreement and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties agree as follows:

1. Definitions

For purposes of the Agreement, the Parties assign the following meaning to each of the terms below. Any capitalized term used in the Agreement, but not otherwise defined, shall have the meaning ascribed to it term in the Privacy Rule or applicable law.

1. Capitalized terms used but not otherwise defined in the Agreement shall have the meanings ascribed in HIPAA (whether or not such terms are capitalized therein) or elsewhere in Agreement, as applicable.

2. “Affiliate” means a subsidiary or affiliate of Covered Entity that is or has been designated as a covered entity under HIPAA.

3. “Breach” means the acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule which compromises the security or privacy of the PHI, as defined in 45 CFR §164.402.

4. “Breach Notification Rule” means the portion of HIPAA set forth in Subpart D of 45 CFR Part 164.

5. “Data Aggregation” means, with respect to PHI created or received by Business Associate in its capacity as the “business associate” under HIPAA of Covered Entity, the combining of such PHI by Business Associate with the PHI received by Business Associate in its capacity as a business associate of one or more other “covered entity” under HIPAA, to permit data analyses that relate to the Health Care Operations (defined below) of the respective covered entities. The meaning of “data aggregation” in this Agreement shall be consistent with the meaning given to that term in the Privacy Rule.

6. “Designated Record Set” has the meaning given to such term under the Privacy Rule, including 45 CFR §164.501.B.

7. “De-Identify” means to alter the PHI such that the resulting information meets the requirements described in 45 CFR §§164.514(a) and (b).

8. “Electronic PHI” means any PHI maintained in or transmitted by electronic media as defined in 45 CFR §160.103.

9. “Health Care Operations” has the meaning given to that term in 45 CFR §164.501.

10. “HHS” means the U.S. Department of Health and Human Services.

11. “HITECH Act” means the Health Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009, Public Law 111-005.

12. “Individual” has the same meaning given to that term i in 45 CFR §§164.501 and 160.130 and includes a person who qualifies as a personal representative in accordance with 45 CFR §164.502(g).

13. “Privacy Rule” means that portion of HIPAA set forth in 45 CFR Part 160 and Part 164, Subparts A and E.

14. “Protected Health Information” or “PHI” has the meaning given to the term “protected health information” in 45 CFR §§164.501 and 160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity.  

15. “Security Incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.

16. “Security Rule” means the Security Standards for the Protection of Electronic Health Information provided in 45 CFR Part 160 & Part 164, Subparts A and C.

17. “Unsecured Protected Health Information” or “Unsecured PHI” means any “protected health information” as defined in 45 CFR §§164.501 and 160.103 that is not rendered unusable, unreadable or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the HHS Secretary in the guidance issued pursuant to the HITECH Act and codified at 42 USC §17932(h).

2. Obligations and Activities of Business Associate

Business Associate agrees to:  

1. Not to use or disclose PHI other than as permitted or required by the Agreement or as required by law;

2. Use appropriate PHI, to prevent use or disclosure of PHI other than as provided for by the Agreement;

3.  Report to Covered Entity any use or disclosure of PHI provided for by the Agreement of which it becomes aware, including Breaches of Unsecured PHI as required at 45 C.F.R. § 164.410, and any successful Security Incident of which it becomes aware;

4. In accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any Subcontractors that create, receive, maintain, or transmit PHI on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information;

5. Make available PHI in a Designated Record Set to [Covered Entity AND/OR an individual or individual's designee] as necessary to satisfy Covered Entity's obligations under 45 C.F.R. § 164.524, including furnishing upon Covered Entity's request or direction an electronic copy of PHI that is maintained in a Designated Record Set;

6. Make any amendment(s) to PHI in a Designated Record Set as directed or agreed to by the Covered Entity pursuant to 45 C.F.R. § 164.526, or take other measures as necessary to satisfy Covered Entity's obligations under 45 C.F.R. § 164.526;

7. Maintain and make available the information required to provide an accounting of Disclosures to [Covered Entity AND/OR an individual] as necessary to satisfy Covered Entity's obligations under 45 C.F.R. § 164.528;

8.  Make its internal practices, books, and records available to the Secretary for purposes of determining compliance with the HIPAA Rules;

9. Not participate in any sale of PHI;

10. Not use or disclose genetic information for underwriting purposes in violation of the HIPAA Rules;

11. Comply with the Electronic Transaction Rule and any applicable corresponding requirements adopted by HHS with respect to any Electronic Transactions conducted by Business Associate on behalf of Covered Entity in connection with the services provided under this Agreement;

12. Document any disclosures of PHI made by it to account for such disclosures as required by 45 CFR §164.528(a). Business Associate also will make available information related to such disclosures as would be required for Covered Entity to respond to a request for an accounting of disclosures in accordance with 45 CFR §164.528. At a minimum, Business Associate will furnish Covered Entity the following with respect to any covered disclosures by Business Associate: (i) the date of disclosure of PHI; (ii) the name of the entity or person who received PHI, and, if known, the address of such entity or person; (iii) a brief description of the PHI disclosed; and (iv) a brief statement of the purpose of the disclosure which includes the basis for such disclosure;

13. Make available its internal practices, books, agreements, records, and policies and procedures relating to the use and disclosure of PHI, upon request, to the Secretary of HHS for purposes of determining Covered Entity’s and Business Associate’s compliance with HIPAA, and the Agreement.

3. Representations of Business Associate

Business Associate agrees that it is directly liable under the HIPAA Rules and the HITECH Act for making uses and disclosures of PHI that are not authorized by this Agreement or required by law. Business Associate also acknowledges that it is liable for failing to safeguard Electronic PHI in accordance with the HIPAA Security Rule.

4. Permitted Uses and Disclosures by Business Associate

1. Business Associate may use or disclose PHI as necessary to perform the services set forth in the Agreement; 

2.  Business Associate may use or disclose PHI as required by Law;

3. Business Associate agrees to make uses and disclosures and requests for PHI subject to the following Minimum Necessary requirements:

   1. In accordance with HIPAA's Minimum Necessary standard, PHI in connection with its services for the Covered Entity shall be limited to the minimum necessary information to accomplish the intended purpose of any particular use, disclosure, or request. Further, Business Associate shall support any determinations it makes with respect to the Minimum Necessary standard with a rational justification that, as applicable, (i) reflects the technical capabilities of the Business Associate and (ii) factors in relevant privacy and security risks. Business Associate shall record and maintain documentation of all such determinations consistent with reasonable recordkeeping practices and the HIPAA Rule;

4. Business Associate may not use or disclose PHI in a manner that would violate Subpart E of 45 C.F.R. Part 164 if done by Covered Entity;

5. Business Associate may use PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate;

6. Business Associate is authorized to use PHI to de-identify the information 45 C.F.R. 164.514(a)-(c). In prioritizing confidentiality, Business Associate will utilize a PHI-redaction function that deidentifies 18 common identifiers from both auto-transcribed and typed notes before it reaches Business Associate’s servers, as supported by §164.502(d) of the Privacy Rule which outlines the de-identification standard and implementation specifications in §164.514(a)-(b). Business Associate will remove identifiers as per the Safe Harbor method of deidentification §164.514(b)(2), thus data will no longer be classified as PHI. Identifiers include the following: names, geographic subdivisions smaller than a state, all elements of dates  directly related to individual, telephone numbers, fax numbers, electronic mail addresses, social security numbers, medical record numbers, health plan beneficiary numbers, account numbers, certificate/license numbers, vehicle identifiers and serial numbers, device identifiers and serial numbers, Web Universal Resource Locations (URLs), Internet Protocol address numbers, biometric identifiers including finger and voice prints (never requested or processed by Business Associate), full face photographic images and any comparable images (never requested or processed by Business Associate), any other unique identifying number, characteristic or code. 

   1. Business Associate shall not attempt to re-identify de-identified data provided by the Covered Entity or obtained in connection to services rendered under this Agreement, except with express consent from the Covered Entity. Business Associate will ensure that any re-identified data will be protected with the same level of security as PHI and will be used for the purposes explicitly authorized by Covered Entity. 

5. Safeguards

1. Business Associate will use appropriate safeguards to prevent the use or disclosure of PHI other than as provided by this Agreement and Business Associate will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the Electronic PHI that it creates, receives, maintains or transmits on behalf of Covered Entity. 

   1. Business Associate will delete the source .mp3 file from Business Associate’s cloud storage immediately after audio recording is transcribed. Accordingly, the raw recording media will not be accessed by even the highest permission designated users. 

   2. Business Associate will utilize end-to-end data encryption during telehealth video and voice calls through a HIPAA compliant software development kit that underlies Business Associate’s real time communication implementation for real-time voice and video call data transmission. Data will be encrypted at rest and in transit. 

   3. Business Associate will internally audit its own data access security protocols in order to ensure data is only accessible when specifically requested by both (1) an authenticated user and (2) a user tagged in that specific document. As such, users cannot query, write, create or delete patient documentation. 

   4. Video call data will not be stored on Business Associate’s cloud storage partitions and will immediately be destroyed following processing.  

   5. Business Associate will implement data loss prevention controls with backend algorithms that continuously check against suspicious activity, including large-scale data leaks, breaches, and penetration in data stores. 

2. Business Associate agrees to take reasonable steps, including providing adequate training to its employees to ensure compliance with the Agreement and to ensure that the actions or omissions of its employees or agents do not cause Business Associate to breach the terms of this Agreement.

6. Notification of Breach

If Business Associate discovers a Breach of PHI, the Business Associate will notify the Covered Entity of such Breach that poses a significant risk of harm to the Covered Entity or individuals, in line with HIPAA’s harm threshold. A Breach is treated as discovered by Business Associate on the first day on which such breach is known to Business Associate or, by exercising reasonable diligence, would have been known to Business Associate.  Business Associate shall provide the notification without unreasonable delay and in no case later than 30 calendar days after discovery of the Breach.

7. Mitigation of Disclosures of PHI

Business Associate will take reasonable measures to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of any use or disclosure of PHI by Business Associate or its agents or subcontractors in violation of the requirements of this Agreement.

8. Responsibilities of Covered Entity

With regard to the use and/or disclosure of PHI by Business Associate, Covered Entity agrees to:

1. Notify Business Associate of any limitation(s) in its notice of privacy practices in accordance with 45 CFR §164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI;

2. Notify Business Associate of any changes in, or revocation of, permission by an individual to use or disclose PHI, to the extent that such changes may affect Business Associate’s use or disclosure of PHI;

3. Notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR §164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI;

4. Except for data aggregation or management and administrative activities of Business Associate, Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA if done by Covered Entity.

9.  Term and Termination

1. The term of this Agreement shall be effective as of the Effective Date and remains in effect indefinitely until terminated by either party under the conditions specified in the Agreement.

2. Termination for Cause

   1. Business Associate authorizes termination of this Agreement by Covered Entity if Covered Entity reasonably determines in good faith that Business Associate has violated a material term of the Agreement and Business Associate has not cured the Breach or ended the violation to the reasonable satisfaction of Covered Entity within 30 days;

2. Covered Entity authorizes termination of this Agreement by Business Associate if Business Associate reasonably determines in good faith that Covered Entity has violated a material term of the Agreement and Covered Entity has not cured the Breach or ended the violation to the reasonable satisfaction of Business Associate within 30 days.

3. Obligations of Business Associate Upon Termination

   1. Upon termination of this Agreement for any reason, Business Associate shall return to Covered Entity or destroy PHI that the Business Associate still maintains in any form, when reasonably feasible;

   2. If return or destruction of the PHI is not reasonably feasible, Business Associate will furnish Covered Entity with notification, in writing, of the conditions that make return or destruction infeasible. Upon mutual agreement of the Parties that return or destruction of the PHI is infeasible, Business Associate will extend the protections of the Agreement to such information for as long as Business Associate retains such information;

   3. Business Associate shall be responsible for compliance with the obligations regarding any applicable PHI created, received, or maintained by Subcontractors retained by Business Associate.

10. Indemnification 

1. The Business Associate agrees to indemnify, defend, and hold harmless Covered Entity and its employees, contractors, agents, and representatives (collectively, "Covered Entity Indemnitees") from and against any and all claims, obligations, actions, suits, debts, judgments, losses, fines, penalties, damages, costs, expenses (including reasonable attorney's fees), and other liabilities ("Covered Liabilities") incurred by Covered Entity Indemnitees that arise or result from a breach of the terms and conditions of the Agreement within its control and directly related to its obligations under the Agreement. 

2. The Covered Entity agrees to indemnify, defend, and hold harmless Business Associate and its employees, contractors, agents, and representatives (collectively, "Business Associate Indemnitees") from and against Covered Liabilities incurred by Business Associate Indemnitees that arise or result from a breach of the terms and conditions of this Agreement or a violation of HIPAA by Covered Entity or its employees, contractors, agents, or representatives. 

3. The Covered Entity acknowledges that it is solely responsible for its handling, use, and disclosure of the de-identified information and any PHI within its own systems, including any PHI that it chooses to store, process, or transmit on its own servers. The Covered Entity agrees to indemnify, defend, and hold harmless the Business Associate from any claims, actions, penalties, fines, costs, or damages arising from the Covered Entity's mishandling, use, or disclosure of its PHI or de-identified information after receipt from the Business Associate.

4. Notwithstanding the foregoing, Covered Liabilities shall exclude consequential, special, and punitive damages, and the indemnification rights herein are conditioned on (i) the indemnified party giving the indemnifying party prompt written notice of any Covered Liability; (ii) the indemnified party providing commercially reasonable cooperation in the defense or mitigation of a Covered Liability, if reasonably requested by the indemnifying party (with the indemnifying party reimbursing the indemnified party for reasonable out-of-pocket expenses); and (iii) the indemnified party not entering into any settlement without the indemnifying party's prior written consent, which shall not be unreasonably withheld or delayed.

11. Regulatory References

A reference in this Agreement to a section in HIPAA means the section as in effect or as amended at the time

12. Amendments

The Parties agree to take such action as is necessary to amend this Agreement from time to time to ensure compliance with the requirements of the HIPAA Rules and any other applicable law. Any amendment to this Agreement must be in writing and signed by both parties.

13. Severability

The provisions of this Agreement shall be severable, and the invalidity of any provision shall not affect the validity of other provisions.

14. Notices

All notices, requests and demands or other communications to be given under this Agreement to a Party will be made via either first class mail, registered or certified or express courier, or electronic mail.

In light of the mutual agreement and understanding described above, the Parties execute the Agreement as of the date first written above.

FOR THE COVERED ENTITY:

By:

Name:

Title:

FOR THE BUSINESS ASSOCIATE:

By:

Name:

Title: