Business Associate Agreement

This BAA supplements, modifies, and amends the Terms of whether oral or written, between the parties where performance under the Agreement involves the disclosure of Protected Health Information (“PHI”) by Covered Entity to Business Associate, or the creation, receipt, maintenance, or transmission of PHI by Business Associate on behalf of Covered Entity.

The terms and provisions of this BAA supersede any other conflicting or inconsistent terms and provisions in the Terms of Use between the parties, including all exhibits or other attachments thereto and all documents incorporated therein by reference.

Business Associate and Covered Entity agree to amend this BAA to the extent necessary to allow either Business Associate or Covered Entity to comply with the HIPAA Standards promulgated or to be promulgated by the Secretary of the Department of Health and Human Services (“Secretary“) or other related regulations or statutes.

Covered Entity may request a signed version of this BAA by emailing dataprotection@mytomorrows.com. Covered Entity acknowledges and agrees that such a signature is not required for the Agreement to be binding. The Agreement is considered valid and binding on the Parties from the moment that Covered Entity, or an individual acting on behalf of Covered Entity, has accepted Business Associate’s Terms of Use.

Capitalised terms not defined in this BAA have the meanings set forth in the HIPAA Privacy Rule and the HIPAA Security Rule, or in the Terms of Use, as applicable.

Except as otherwise limited by the Terms of Use, the HIPAA Standards, or other applicable laws, Business Associate may:
(a) Use or disclose PHI as reasonably necessary to provide the Services described in the Terms of Use to Covered Entity, and to undertake other activities of Business Associate, such as the Services, permitted or required of Business Associate by this BAA or as required by applicable laws;
(b) Use PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate;
(c) Use PHI to de-identify PHI in accordance with 45 C.F.R. § 164.502(d), including for reporting and process improvement purposes;
(d) Provide Data Aggregation services relating to the Health Care Operations of Covered Entity if required for the provision of the Services under the Terms of Use; and
(e) Disclose PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate, provided that
(i) the disclosure is Required by Law; or
(ii) Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and will be used or further disclosed only as Required by Law or for the specific purpose for which it was disclosed to the person, and the the person will notify Business Associate of any instances of which it is aware that the confidentiality of the PHI has been breached.

Business Associate agrees to not use or further disclose PHI other than as permitted or required by the or as Required by Law. Business Associate will also comply with any further limitations on uses and disclosures of PHI by Covered Entity in accordance with 45 C.F.R. § 164.522, provided that Covered Entity communicates such limitations to Business Associate prior to such limitations becoming binding on Business Associate.

Business Associate agrees, consistent with Subpart C, 45 C.F.,R. § 164.522  to implement administrative standards, encryption protocols, physical workplace protection, and information technology safeguards that are designed to reasonably and appropriately protect the confidentiality, integrity and availability of any PHI, in any form, including but not limited to Electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of Covered Entity, as provided for in the Security Rule.

Business Associate agrees to report to use or disclosure of PHI of which Business Associate becomes aware. Additionally, Business Associate will report to the Covered Entity any Security Incident of which Business Associate becomes aware and shall include, to the extent known at that time of notice or promptly thereafter as information becomes available, (i) an identification of each individual about whom unsecured PHI has been, or is reasonably believed by Business Associate to have been, subject to such Breach or unauthorized use or disclosure; (ii) a description of the nature of the Breach or the violating use or disclosure; (iii) a description of the PHI involved; (iv) description of the processes undertaken or proposed to be undertaken to alert any individual patient(s) affected by the Breach or violating use or disclosure, as well procedures that any individual patient(s) should take for protection from the Breach or violating use or disclosure; and (v) a description of remedy procedures undertaken by the Business Associate.

Notwithstanding the foregoing, the parties acknowledge and agree that this Section II(4) constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence or attempts of unsuccessful Security Incidents for which no additional notice to Covered Entity will be required. Unsuccessful Security Incidents means, without limitation, pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denial of service attacks, and any combination of the above, so long as no such incident results in unauthorized access, use, or disclosure of Covered Entity’s electronic PHI

Business Associate agrees to notify Covered Entity of any Breach of Unsecured PHI without undue delay and within no more than sixty (60) calendar days of the date Business Associate discovers the Breach. Business Associate will provide such information to Covered Entity as required by the Breach Notification Rule.

Business Associate will obtain and maintain a written agreement with each agent or subcontractor that creates, receives, maintains, or transmits Covered Entity’s PHI on behalf of Business Associate. Under the agreement, such agent or subcontractor will agree to materially the same restrictions and conditions that apply to Business Associate pursuant to this Agreement with respect to such PHI and in any event those restrictions and conditions required under the HIPAA Standards.

Business Associate will take reasonable measures to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this Agreement or the HIPAA Standards.

If Business Associate maintains PHI in a Designated Record Set, as defined in 45 C.F.R. § 164.501, and upon request of Covered Entity, Business Associate agrees to provide access to such PHI in a Designated Record Set to Covered Entity in order for Covered Entity to comply with the requirements under 45 C.F.R. § 164.524.

If Business Associate receives a direct request from an Individual for access to PHI, it will forward the request to Covered Entity to fulfill within 10 (ten) business days. Any disclosure of, or decision not to disclose, the PHI requested by an Individual or a personal representative and compliance with the requirements applicable to an Individual’s right to obtain access to PHI shall be the sole responsibility of Covered Entity.

If Business Associate maintains PHI in a Designated Record Set, Business Associate agrees to make available PHI for amendment and incorporate any amendments to PHI in a Designated Record Set, in order for Covered Entity to comply with 45 C.F.R. § 164.526. If Business Associate receives a direct request from an Individual for amendment to PHI, it will promptly forward the request to Covered Entity to fulfill. Any amendment of, or decision not to amend, the PHI or record as requested by an Individual and compliance with the requirements applicable to an Individual’s right to request an amendment of PHI will be the sole responsibility of Covered Entity.

Business Associate will promptly make its internal practices, books, and records, including policies and procedures relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of Covered Entity, available to the Secretary of the U.S. Department of Health and Human Services, for purposes of determining compliance with the HIPAA Standards.

Business Associate agrees to document and make available promptly information required to provide an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and the HITECH Act. Business Associate further agrees to promptly provide Covered Entity such information upon request to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI, in accordance with 45 C.F.R. § 164.528 and the HITECH Act.

Business Associate will furnish Covered Entity the following with respect to any covered disclosures by Business Associate:
(i) the date of disclosure of PHI;
(ii) the name of the entity or person who received PHI, and, if known, the address of such entity or person;
(iii) a brief description of the PHI disclosed; and
(iv) a brief statement of the purpose of the disclosure which includes the basis for such disclosure.

Business Associate acknowledges that it will implement policies and procedures designed to limit the use, disclosure, or request of PHI to perform or fulfill a function required or permitted under this Agreement to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request, as specified by the HIPAA Standards and any relevant guidance issued by the U.S. Department of Health and Human Services.

If Business Associate agrees to carry out an obligation of Covered Entity under 45 C.F.R. Part 164, Subpart E, Business Associate agrees to comply with the requirements of 45 C.F.R. Part 164, Subpart E that apply to Covered Entity in the performance of such obligations.

If Business Associate conducts any Standard Transactions on behalf of Covered Entity, Business Associate will comply with the applicable requirements of 45 C.F.R. Part 162.

Covered Entity represents, warrants, and covenants that it (i) has all rights, has obtained all consents or authorizations, and has provided all notices necessary for the lawful provision of PHI to Business Associate and for Business Associate’s uses or disclosures of PHI permitted under the Agreement; and (ii) shall not request or require Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Standards if done by Covered Entity.

Covered Entity agrees to provide, disclose, or otherwise make available to Business Associate only such minimum amount of PHI as is necessary to perform the Services or otherwise accomplish the intended purpose of the use, disclosure, or request.

Covered Entity shall notify Business Associate in writing and in a timely manner of:
(i) Any changes in, or revocation of, the consent or authorization provided to Covered Entity by individuals pursuant to the HIPAA Standards, to the extent such changes may affect Business Associate’s use or disclosure of PHI; and
(ii) Any arrangements permitted or required of Covered Entity under the HIPAA Standards that may impact in any manner the use and/or disclosure of PHI by Business Associate under this BAA, including, but not limited to, restrictions on use and/or disclosure of PHI agreed to by Covered Entity, to the extent such restrictions may affect Business Associate’s Use or Disclosure of PHI.

This Agreement will become effective upon Covered Entity’s acceptance of the Terms of Use and, unless otherwise terminated as provided herein, will have a term that will run concurrently with that of the last expiration date or termination of the Terms of Use.

Upon Covered Entity’s knowledge of a material breach of this Agreement by Business Associate, Covered Entity may terminate this Agreement by terminating the Terms of Use pursuant to the terms thereof. This section shall not affect Business Associate’s right to terminate the Services in accordance with the Terms of Use.

Upon termination of this Agreement, Business Associate will either destroy all PHI received from Covered Entity or created or received by Business Associate on behalf of Covered Entity and which Business Associate still maintains in any form. Business Associate will not retain any copies of such PHI, except to the extent required by applicable laws. Notwithstanding the foregoing, to the extent that Business Associate determines that it is not feasible to destroy such PHI, the terms and provisions of this BAA will survive termination and such PHI will be used or disclosed solely for such purpose or purposes which prevented the return or destruction of such PHI.

Any notices or communications to be given pursuant to this Agreement will be made pursuant to the terms of the Terms of Use.

A reference in this Agreement to a section in the HIPAA Standards means the section then in effect.

The parties agree to take such action as may be necessary to amend this Agreement from time to time to ensure the parties comply with the requirements of the HIPAA Standards and any other applicable law or regulation. Business Associate reserves the right to update the Agreement from time to time, to remain compliant with applicable laws and ensure the continuity of services. In the event of significant changes, Business Associate will make reasonable efforts to inform Covered Entity. Nevertheless, Covered Entity remains responsible for ensuring it regularly reviews the Agreement for potential changes. Failure to review such changes will not result in the unenforceability of the changes made by Business Associate to the Agreement.

Except as provided otherwise in this section, no waiver, change, modification, or amendment of any provision of this BAA shall be made unless it is in writing and is signed by the parties hereto.

Nothing express or implied in this Agreement is intended to confer, nor will anything herein confer, upon any person other than the parties and the respective successors or assigns of the parties, any rights, remedies, obligations, or liabilities whatsoever.

Notwithstanding the foregoing, to the extent necessary, the Institution is expressly designated as a third-party beneficiary under the Agreement and may enforce the applicable provisions of the Agreement as if it were an original Party hereto.

Any ambiguity in this Agreement will be resolved to permit the parties to comply with the HIPAA Standards. In the event of any inconsistency or conflict between this Agreement and the Terms of Service, the terms and conditions of this Agreement will govern and control.

A reference in this Agreement to a section in the HIPAA Standards means the section then in effect.

In the event of a conflict between the terms of this BAA and the Terms of Use, the terms of this BAA shall prevail with respect to provisions related to HIPAA Standards. For all other conflicts, the terms of the Terms of Use shall prevail.

This Agreement will be governed by and construed in accordance with the laws of the jurisdiction specified in the Terms of Use. Any disputes related to the Agreement shall be brought before the courts of the jurisdiction specified in the Terms of Use.