AIR VISITS, INC.
BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement (“Agreement”) is made and entered into between Air Visits, Inc., with offices at 150 Clove Road, 2nd Floor Convention Center, Little Falls, NJ 07424 (“Business Associate”), and you or the entity you represent, a healthcare provider (“Covered Entity”). If you are entering into this Agreement on behalf of a Covered Entity, such as the company you work for, you represent that you are authorized by such Covered Entity, and lawfully able, to enter into this Agreement to legally bind that Covered Entity. This Agreement becomes effective on the date you click “I Accept” or other electronic means of signature made available to you by the Business Associate (such date, the “Effective Date”). BY CLICKING “I ACCEPT,” YOU ACKNOWLEDGE THAT YOU HAVE REVIEWED AND AGREE TO BE BOUND BY THE TERMS AND CONDITIONS OF THIS AGREEMENT.
WHEREAS, the parties wish to enter into or have entered into an agreement (“Services Agreement”) pursuant to which Business Associate will provide certain services to, for, or on behalf of Covered Entity involving the use or disclosure of Protected Health Information (“PHI”), and pursuant to such Services Agreement, Business Associate may be considered a “business associate” of Covered Entity; and
WHEREAS, Covered Entity and Business Associate intend to protect the privacy and provide for the security of PHI disclosed to Business Associate pursuant to the Services Agreement in compliance with the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 (“HIPAA”) and the Standards for Privacy of Individually Identifiable Health Information promulgated thereunder by the U.S. Department of Health and Human Services at 45 CFR § 160 and § 164 (the “HIPAA Rules”), and the Health Information Technology for Economic and Clinical Health Act of 2009 (the “HITECH Act”), in each case as amended from time to time; and
WHEREAS, the purpose of this Agreement is to satisfy certain standards and requirements of the HIPAA Rules and the HITECH Act, as the same may be amended from time to time.
NOW, THEREFORE, in consideration of the mutual promises below and the exchange of information pursuant to this Agreement, the parties agree as follows:
Terms used but not otherwise defined in this Agreement shall have the same meaning as set forth in 45 CFR Parts 160, 162 and 164, or the HITECH Act.
2. Obligations of Business Associate.
b. Nondisclosure. Business Associate shall not Use or further Disclose PHI other than as permitted or required by this Agreement
c. Safeguards. Business Associate shall use appropriate safeguards to prevent Use or Disclosure of PHI other than as provided for by this Agreement. Business Associate shall maintain a comprehensive written information privacy and security program that includes administrative, technical and physical safeguards appropriate to the size and complexity of the Business Associate’s operations and the nature and scope of its activities
d. Reporting of Disclosures; Mitigation. Business Associate shall report to Covered Entity of any Breach of Unsecured PHI which Business Associate becomes aware as required at 45 CFR 164.410, and any Security Incident of which it becomes aware. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of Breach of Unsecured PHI by Business Associate in violation of the requirements of this Agreement. Business Associate further agrees, consistent with Section 13402 of the HITECH Act, to provide Covered Entity with information necessary for Covered Entity to meet the requirements of said section, and in a manner and format to be specified by Covered Entity
e. Business Associate’s Agents. Except as otherwise permitted under HIPAA, the HIPAA Rules or the HITECH Act, Business Associate shall ensure that any subcontractors, to whom it provides PHI received from (or created or received by Business Associate on behalf of) Covered Entity agree to the same restrictions and conditions that apply to Business Associate with respect to such PHI.
f. Availability of Information to Covered Entity. Business Associate shall make available to Covered Entity (or, as directed by Covered Entity, to an Individual) such information as Covered Entity may request, and in the time and manner designated by Covered Entity, to fulfill Covered Entity’s obligations (if any) to provide access to, provide a copy of, and account for disclosures with respect to PHI pursuant to HIPAA and the HIPAA Rules, including, but not limited to, 45 CFR §§ 164.524 and 164.528.
g. Amendment of PHI. Business Associate shall make any amendments to PHI in a Designated Record Set that the Covered Entity directs or agrees to at the request of Covered Entity or an Individual, and in the time and manner designated by Covered Entity, to fulfill Covered Entity’s obligations (if any) to amend PHI pursuant to HIPAA and the HIPAA Rules, including, but not limited to, 45 CFR § 164.526, and Business Associate shall, as directed by Covered Entity, incorporate any amendments to PHI into copies of such PHI maintained by Business Associate.
h. Internal Practices. Business Associate shall make its internal practices, books and records relating to the use and disclosure of PHI received from Covered Entity (or created or received by Business Associate on behalf of Covered Entity) available to the Secretary of the U.S. Department of Health and Human Services, in a time and manner designated by Covered Entity or the Secretary, for purposes of the Secretary of the U.S. Department of Health and Human Services determining Covered Entity’s compliance with HIPAA and the HIPAA Rules.
i. Documentation of Disclosures for Accounting. Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR § 164.528.
j. Access to Documentation for Accounting. Business Associate agrees to provide to Covered Entity or an Individual, in a time and manner designated by Covered Entity, information documented in accordance with Section 2(i) of this Agreement in a time and manner as to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR § 164.528.
k. Minimum Necessary. When using, disclosing, or requesting PHI from the Covered Entity, or in accordance with any provision of this Agreement, Business Associate shall limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.
3. Obligations of Covered Entity.
a. Covered Entity shall be responsible for using appropriate safeguards to maintain and ensure the confidentiality, privacy and security of PHI transmitted to Business Associate pursuant to the Agreement and this Agreement, in accordance with the standards and requirements of HIPAA and the HIPAA Rules, until such PHI is received by Business Associate.
b. Upon request, Covered Entity shall provide Business Associate with the notice of privacy practices that Covered Entity produces in accordance with 45 CFR § 164.520, as well as any changes to such notice
c. Covered Entity shall provide Business Associate with any changes in, or revocation of, permission by an Individual to use or disclose PHI, if such changes affect Business Associate’s permitted or required uses or disclosures.
d. Covered Entity shall remain responsible for any and all use, access or disclosure of PHI by Covered Entity’s user or through Covered Entity’s account credentials, and Covered Entity shall ensure to terminate user access when no longer active to prevent Covered Entity’s unauthorized disclosure of PHI.
e. Covered Entity shall notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR § 164.522, if such restriction affects Business Associate’s permitted or required uses or disclosures.
4. Term and Termination.
a. Term. The Term of this Agreement shall become effective as of the Effective Date and shall terminate when all of the PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy PHI, protections are extended to such information, in accordance with the termination provisions of this Section. The provisions of this Agreement shall survive termination of the Agreement to the extent necessary for compliance with HIPAA and the HIPAA Rules.
b. Material Breach. A material breach by either party of any provision of this Agreement shall constitute a material breach of the Agreement, if such breach is not cured by the breaching party within thirty (30) days of receipt of notice describing the material breach
c. Reasonable Steps to Cure Breach. If either party learns of an activity or practice of the other party that constitutes a material breach or violation of the other party’s obligations under the provisions of this Agreement, then the non-breaching party shall notify the breaching party of the breach and the breaching party shall take reasonable steps to cure such breach or violation, as applicable, within a period of time which shall in no event exceed sixty (60) days. If the breaching party’s efforts to cure such breach or violation are unsuccessful, the non-breaching party shall either terminate the Agreement, if feasible, or if termination of the Agreement is not feasible and the breaching party has violated the HIPAA Rules, the non-breaching party may report the breaching party’s breach or violation to the Secretary of the U.S. Department of Health and Human Services.
d. Judicial or Administrative Proceedings. Either party may terminate the Agreement, effective immediately, if the other party is named as a defendant in a criminal proceeding for an alleged violation of HIPAA, or a finding or stipulation that the other party has violated any standard or requirement of HIPAA or other security or privacy laws is made in any administrative or civil proceeding in which the party has been joined.
e. Effect of Termination.
1. Except as provided in paragraph (e)(2) of this Section or if required by law or regulation to be maintained by Business Associate, upon termination of the Agreement for any reason, Business Associate shall return at Covered Entity’s expense or destroy all PHI received from Covered Entity (or created or received by Business Associate on behalf of Covered Entity) that Business Associate still maintains in any form, and shall retain no copies of such PHI. This provision shall apply to PHI that is in the possession of subcontractors or agents of Business Associate.
2. In the event that Business Associate determines that returning or destroying the PHI is infeasible, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction infeasible. Upon mutual agreement of the parties that return or destruction of PHI is infeasible, Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI. The obligations of Business Associate under this Section shall survive the termination of the Agreement.
5. Disclaimer. Covered Entity makes no warranty or representation that compliance by Business Associate with this Agreement, HIPAA or the HIPAA Rules will be adequate or satisfactory for Business Associate’s own purposes or that any information in Business Associate’s possession or control, or transmitted to or received by Business Associate, is or will be secure from unauthorized use or disclosure. Business Associate is solely responsible for all decisions made by Business Associate regarding the safeguarding of PHI.
6. Amendment to Comply with Law. The parties acknowledge that state and federal laws relating to electronic data security and privacy are rapidly evolving and that amendment of the Agreement may be required to provide for procedures to ensure compliance with such developments. The parties specifically agree to take such action as is necessary to implement the standards and requirements of HIPAA, the HIPAA Rules, the HITECH Act, and other applicable laws relating to the security or confidentiality of PHI. Upon the request of either party, the parties shall promptly enter into negotiations concerning the terms of an amendment to the Agreement embodying written assurances consistent with the standards and requirements of HIPAA, the HIPAA Rules, the HITECH Act, or other applicable laws relating to security and privacy of PHI. Either party may terminate the Agreement upon thirty (30) days’ written notice in the event the other party does not promptly enter into negotiations to amend the Agreement when requested pursuant to this Section, or does not enter into an amendment to the Agreement providing assurances regarding the safeguarding of PHI that satisfy the standards and requirements of HIPAA, the HIPAA Rules, the HITECH Act, or any other applicable laws relating to security and privacy of PHI.
7. Assistance in Litigation or Administrative Proceedings. Business Associate shall make itself, and any subcontractors, consultants, employees or agents assisting Business Associate in the performance of its obligations under this Agreement, available to Covered Entity, to testify as witnesses, or otherwise, in the event of litigation or administrative proceedings being commenced against Covered Entity, its directors, officers or employees based upon claimed violations of HIPAA, the HIPAA Rules or other laws relating to security and privacy, except where Business Associate or its subcontractor, employee or agent is a named adverse party or there exists a conflict or potential conflict between the parties; provided, however, that Covered Entity pays Business Associate, its subcontractors or consultants their current rate for their time and reimburses for all reasonable expenses.
8. No Third Party Beneficiaries. Nothing in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than Covered Entity, Business Associate and their respective successors and assigns, any rights, remedies, obligations or liabilities whatsoever and no other person or entity shall be a third party beneficiary of this Agreement.
9. Effect on Agreement. Except as specifically required to implement the purposes of this Agreement, or to the extent inconsistent with this Agreement, all other terms of the Agreement shall remain in full force and effect.
10. Governing Law. This Agreement shall in all respects be interpreted, enforced and governed by the laws of the State of New Jersey without regard to its conflicts of law provisions. Any action, suit or proceeding to enforce this BAA shall be brought exclusively in the federal or state courts located in the state of New Jersey.
11. Interpretation. This Agreement shall be interpreted as broadly as necessary to implement and comply with HIPAA, the HIPAA Rules and any other applicable law relating to security and privacy of PHI. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits Covered Entity to comply with the HIPAA Rules.
12. Regulatory References. A reference in this Agreement to a section in the HIPAA Rules or the HITECH Act means the section as in effect or as amended, and for which compliance is required.