This Business Associate Agreement (the “BAA”) is entered into by and between Nuevozen Corp. (“Business Associate”) and the health care provider (“Covered Entity”) who has subscribed to receive services from Business Associate by entering into a Nuevozen Solution Agreement (the “Agreement”). This BAA is effective when electronically accepted by Covered Entity on Business Associate’s website. If there is any conflict between a provision in this BAA and a provision in the Agreement, this BAA will control.
Background.
Pursuant to the Agreement, Business Associate will be providing modeling data to Covered Entity in connection with health care assessments and diagnoses (the “Solution”) in accessing the Solution, Covered Entity will disclose PHI to Business Associate PHI. Such disclosure may result in Business Associate’s use, disclosure, maintenance, and/or creation of PHI, including ePHI, on behalf of Covered Entity.
- Definitions.
Except as otherwise defined in this BAA, capitalized terms shall have the definitions set forth in HIPAA, and if not defined by HIPAA, such terms shall have the definitions set forth in the Agreement.
“Breach” means the acquisition, access, use, or disclosure of PHI in a manner not permitted by the HIPAA Privacy Rule that compromises the security or privacy of PHI as defined and subject to the exceptions set forth in 45 C.F.R. §164.402
“Breach Notification Rule” means the Breach Notification for Unsecured Protected Health Information Final Rule.
“Electronic PHI” means PHI that is transmitted or maintained in Electronic Media.
“HIPAA” means the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), Title XIII of the American Recovery and Reinvestment Act of 2009 (Public Law 111-005) and the rules, guidance and regulations promulgated thereunder, including 45 Code of Federal Regulations, Parts 160 and 164, in each case as amended from time to time, including by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act.
“PHI” means Covered Entity’s protected health information, as defined in 45 C.F.R. §160.103, and is limited to the PHI of eligible plan members that is received, maintained, created, or transmitted on behalf of Covered Entity by Business Associate in performance of the Advance Analytics Services.
“Privacy Rule” means the Standards for Privacy of Individually Identifiable Health Information.
“Security Rule” means the Security Standards for the Protection of Electronic PHI.
- Permitted Uses and Disclosures of PHI.
Except as otherwise limited in this BAA or by law, Business Associate:
- may use or disclose PHI provided to the Business Associate by Covered Entity to provide the Solution for or on behalf of Covered Entity as specified in the Agreement, provided that such uses or disclosures would not violate the Privacy Rule if done by a Covered Entity or the Minimum Necessary policies and procedures of Business Associate.
- Business Associate may use or disclose PHI as required by law.
- Business Associate may disclose PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate, provided the disclosures are required by law, or Business Associate obtains reasonable assurances from the person to whom the PHI is disclosed that the PHI will remain confidential and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the PHI has been breached.
- Business Associate may use PHI to provide Data Aggregation services to Covered Entity as permitted by 45 C.F.R Part 164.
- Business Associate may use PHI to create de-identified information as permitted by 45 C.F.R. Part 164. Such de-identified information is no longer PHI and may be used or disclosed by Business Associate for any lawful purpose.
- Business Associate may use PHI to report a violation of law to appropriate Federal and/or State authorities, as permitted by 45 C.F.R. Part 164.
- Business Associate’s Responsibilities.
Business Associate agrees to the following:
- Limitations on Use and Disclosure. Business Associate shall not Use and/or Disclose the PHI other than as permitted or required by the Agreement and/or this BAA or as otherwise Required by Law. Business Associate shall not disclose, capture, maintain, scan, index, transmit, share or Use PHI for any activity not authorized under the Agreement and/or this BAA. Business Associate shall not use PHI for any advertising, Marketing or similar commercial purpose of Business Associate or any third party. Business Associate shall not violate the HIPAA prohibition on the sale of PHI. Business Associate shall make reasonable efforts to Use, Disclose, and/or request the minimum necessary PHI to accomplish the intended purpose of such Use, Disclosure, or request.
- Safeguards. Business Associate shall: (1) use reasonable and appropriate safeguards to prevent Use and Disclosure of PHI other than as permitted in Section 2 of this BAA; and (2) comply with the applicable requirements of 45 CFR Part 164 Subpart C of the Security Rule with respect to Electronic PHI.
- Reporting. Business Associate shall report to Covered Entity: (1) any Use and/or Disclosure of PHI that is not permitted or required by this BAA of which Business Associate becomes aware; (2) any Security Incident of which it becomes aware, provided that notice is hereby deemed given for Unsuccessful Security Incidents and no further notice of such Unsuccessful Security Incidents shall be given; and/or (3) any Breach of Covered Entity’s Unsecured PHI that Business Associate may discover (in accordance with 45 CFR § 164.410 of the Breach Notification Rule). Notification of a Breach will be made without unreasonable delay, but in no event more than seventy-two (72) hours after Business Associate’s discovery of a Breach. Taking into account the level of risk reasonably likely to be presented by the Use, Disclosure, Security Incident, or Breach, the timing of other reporting will be made consistent with Business Associate’s and Covered Entity’s legal obligations. Notification(s) under this Section, if any, will be delivered to contacts identified by Covered Entity when registering to use the Solution by any means Business Associate selects, including through e-mail. Business Associate’s obligation to report under this Section is not and will not be construed as an acknowledgement by Business Associate of any fault or liability with respect to any Use, Disclosure, Security Incident, or Breach.
- “Unsuccessful Security Incidents” mean, without limitation, pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denial of service attacks, and any combination of the above, as long as no such incident results in unauthorized access, acquisition, Use, or Disclosure of PHI
- Subcontractors. In accordance with 45 CFR §§ 164.502(e)(1)(ii) and 164.308(b)(2) of HIPAA, Business Associate shall require its Subcontractors who create, receive, maintain, or transmit PHI on behalf of Business Associate to agree in writing to: (1) the same or more stringent restrictions and conditions that apply to Business Associate with respect to such PHI; (2) appropriately safeguard the PHI; and (3) comply with the applicable requirements of 45 CFR Part 164 Subpart C of the Security Rule. Business Associate remains responsible for its Subcontractors’ compliance with obligations in this BAA.
- Disclosure to the Secretary. Pursuant to 45 C.F.R. §§ 160.310(c) & 164.502(a)(4)(i), Business Associate shall make its internal practices, books, and records relating to the Use and Disclosure of PHI received from, or created or received on behalf of, Covered Entity available to the Secretary of Health and Human Services.
- Amendment. Business Associate, at the request of Covered Entity, shall within fifteen (15) days make available such PHI to Covered Entity for amendment and incorporate any reasonably requested amendment in the PHI in accordance with 45 CFR § 164.526 of the Privacy Rule.
- Accounting of Disclosure. Business Associate, at the request of Covered Entity, shall within thirty (30) days make available to Covered Entity such information relating to Disclosures made by Business Associate as required for Covered Entity to make any requested accounting of Disclosures in accordance with 45 CFR § 164.528 of the Privacy Rule.
- Covered Entity Responsibilities.
Covered Entity agrees to:
- Notify Business Associate of any limitation(s) in the notice of privacy practices of Covered Entity under 45 CFR 164.520 to the extent that such limitation may affect Business Associate’s use or disclosure of PHI.
- Notify Business Associate of any changes in, or revocation of, the permission by an Individual to use or disclose his or her PHI to the extent that such changes may affect Business Associate’s use or disclosure of PHI.
- Notify Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 CFR 164.522 to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.
- Refrain from requesting that Business Associate use or disclose PHI in a manner that would not be permissible under Subpart E of 45 CFR Part 164 if done by Covered Entity.
- Term and Termination.
- Term. The term of this BAA will commence when accepted electronically by Covered Entity and will terminate concurrently with the Agreement unless earlier terminated by mutual written agreement of the Parties or in accordance with Section 5(b).
- Termination for Breach. Upon written notice, either Party immediately may terminate the Agreement and this BAA if the other Party is in material breach or default of any obligation in this BAA. Either party may provide the other a thirty (30) calendar day period to cure a material breach or default within such written notice.
- Return, Destruction, or Retention of PHI Upon Termination. Upon expiration or termination of this BAA, Business Associate shall return or destroy all PHI in its possession, if it is feasible to do so, and as set forth in the applicable termination provisions of the Agreement. If it is not feasible to return or destroy any portions of the PHI upon termination of this BAA, then Business Associate shall extend the protections of this BAA, without limitation, to such PHI and limit any further Use or Disclosure of the PHI to those purposes that make the return or destruction infeasible for the duration of the retention of the PHI.
- Miscellaneous.
- Interpretation. This BAA is governed by and construed in accordance with the same internal laws governing the Agreement. Except where this BAA conflicts with the Agreement, all other terms and conditions of the Agreement remain unchanged. Any captions or headings in this BAA are for the convenience of the Parties and shall not affect the interpretation of this BAA.
- Amendments; Waiver. This BAA may not be modified or amended except in a writing duly signed by authorized representatives of the Parties. A waiver with respect to one event shall not be construed as continuing, as a bar to, or as a waiver of any right or remedy as to subsequent events.
- No Third-Party Beneficiaries. Nothing express or implied in this BAA is intended to confer, nor shall anything in this BAA confer, upon any person other than the Parties, and the respective successors or assigns of the Parties, any rights, remedies, obligations, or liabilities whatsoever.
- Severability. In the event that any provision of this BAA is found to be invalid or unenforceable, the remainder of this BAA shall not be affected thereby, but rather the remainder of this BAA shall be enforced to the greatest extent permitted by law.
- No Agency Relationship. It is not intended that an agency relationship (as defined under the Federal common law of agency) be established hereby expressly or by implication between Covered Entity and Business Associate under HIPAA or the Privacy Rule, Security Rule, or Breach Notification Rule. No terms or conditions contained in this BAA shall be construed to make or render Business Associate an agent of Covered Entity.
- Written Notices. Business Associate’s address for notices pursuant to this BAA is Nuevozen Corp., Attn: Privacy Officer, Address: 336 Bon Air Ctr, #299, Greenbrae, CA, 94904. Notices to Covered Entity may be sent to the address associated with its subscription to the Solution.
Copyright © 2021 Nuevozen Corp. All Rights Reserved.
Last Updated November 2021.