This Business Associate Agreement is made and entered into effective __________, 2023, by and between OneSchema, Inc. (“Business Associate”), and _____________ (“Customer”).
WHEREAS, Business Associate and Customer entered into a services agreement dated ___________, 2023 (“Contract”) whereby Business Associate acts as a “business associate” of the Customer for purposes of the Health Insurance Portability and Accountability Act of 1996, Public Law 104-1 (“HIPAA”); the Health Information Technology for Economic and Clinical Health Act Public Law 111-005 (‘the HITECH Act); and
WHEREAS, as required by HIPAA, Business Associate and Customer entered into a Business Associate Agreement dated ____________, 2023 (“BA Agreement”) satisfying the requirements of Part 164.504(e) of Title 45, Code of Federal Regulations; and
WHEREAS, Business Associate and Customer must amend the BA Agreement by no later than September 23, 2013, to incorporate new provisions mandated by recent amendments to HIPAA’s Privacy, Security, Breach Notification, and Security Rules at 45 CFR Part 160 and Part 164 (the “HIPAA Rules”); and
WHEREAS, Business Associate and Customer desire to amend the BA Agreement so as to remain in compliance with HIPAA.
NOW, THEREFORE, in consideration of the mutual promises below, the parties agree as follows:
- Business Associate agrees to use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 (the “Security Rule”) with respect to Electronic Protected Health Information, to prevent Use or Disclosure of the Protected Health Information. Such safeguards and compliance with the Security Rule shall include compliance with the administrative, physical, and technical safeguards and documentation requirements set forth in 45 CFR Parts 164.308, 164.310, 164.312 and 164.316.
- Business Associate agrees to report to Covered Entity, in writing, within 48 hours of discovery any Use, Disclosure, or Breach of Protected Health Information not provided for by the BA Agreement, as hereby amended, of which it becomes aware, including any Breach of Unsecured Protected Health Information, as required by 45 CFR Part 164.410 (the “Data Breach Notification Rule”), and any Security Incident of which Business Associate becomes aware. Such notice shall include the identity of each individual whose Protected Health Information or Unsecured Protected Health Information was, or is reasonably believed by Business Associate to have been accessed, acquired, Used, or Disclosed during the Breach.
- Business Associate agrees, in accordance with 45 CFR Parts 164.502(e)(1)(ii) and 164.308(b)(2), to ensure that any agent, including a subcontractor who creates, receives, maintains or transmits Protected Health Information on behalf of Business Associate in connection with the services provided to Covered Entity, agrees to the same restrictions and conditions that apply through the BA Agreement, as hereby amended, to Business Associate with respect to such information, including Electronic Protected Health Information. If Business Associate knows of a pattern of activity or practice of a Subcontractor that constitutes a material breach or violation of the Subcontractor’s obligations under the business associate contract (or other arrangement) between Subcontractor and Business Associate, Business Associate will take reasonable steps to cure the breach or end the violation, as applicable, and, if such steps are unsuccessful, Business Associate will terminate the contract (or other arrangement), if feasible.
- Business Associate agrees that to the extent Business Associate is to carry out one or more of Covered Entity’s obligation(s) under Subpart E of 45 CFR Part 164, Business Associate will comply with the requirements of Subpart E that apply to Covered Entity in the performance of such obligations.
- Business Associate shall not directly or indirectly receive remuneration in exchange for any Protected Health Information concerning an Individual unless Business Associate obtains from the Individual, in accordance with 45 CFR Part 164.508(a)(4), a valid authorization that includes a statement that the disclosure will result in remuneration to the Business Associate (or Covered Entity, if applicable). This paragraph shall not apply to remuneration received in circumstances specified in 45 CFR Part 164.502(a)(5)(ii)(2).
- Business Associate agrees to provide access, at the request of Covered Entity, to Protected Health Information in a Designated Record Set (including Protected Health Information that is maintained in one or more Designated Record Sets electronically), to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet Covered Entity’s obligations under 45 CFR Part 164.524.
- Business Associate agrees that when Using or Disclosing Protected Health Information or when requesting Protected Health Information, it will make reasonable efforts to limit the Protected Health Information to the Minimum Necessary to accomplish the intended purpose of the Use, Disclosure, or Request, and will comply with the Minimum Necessary policies or procedures of Covered Entity.
- Business Associate authorizes termination of the BA Agreement and the Contract by Covered Entity, if Covered Entity determines Business Associate has violated a material term of the BA Agreement, as hereby amended, and/or if Business Associate has not cured the Breach or ended the violation within the time specified by Covered Entity.
- Terms not otherwise defined herein shall have the same meaning as in the HIPAA Rules.
IN WITNESS WHEREOF, the parties hereto have duly executed on the date indicated below, effective as of ________________, 2023.