Quentry.com Business Associate Agreement
LAST UPDATED ON June 19, 2013
THIS Business Associate Agreement (this "BAA") is made and entered into by and between you, as a user of Quentry ("You", "Your" or "Covered Entity") and Brainlab AG ("Brainlab" or "Business Associate"). By accepting this BAA, You agree to the terms of this BAA.
WHEREAS, the parties acknowledge and agree that You are a "Covered Entity" and Brainlab is a "Business Associate" of You when Business Associate uses and discloses Protected Health Information ("PHI") received from or on behalf of You in connection with performing the Services for or on behalf of You; and
WHEREAS, Covered Entity and Business Associate intend to protect the privacy and provide for the security of PHI disclosed to Business Associate pursuant to this BAA in compliance with the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 ("HIPAA"), and regulations promulgated thereunder by the U.S. Department of Health and Human Services including the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. Part 160 and Part 164 of the Code of Federal Regulations, Subpart A & E ("Privacy Rule"), the Security Standards for the Protection of Electronic Protected Health Information at 45 C.F.R. Part 160 and Part 164, Subparts A & C ("Security Rule"), the requirements of the Health Information Technology for Economic and Clinical Health Act, as incorporated in the American Recovery and Reinvestment Act of 2009 and the implementing regulations, as issued and amended by the Secretary ("HITECH").
NOW, THEREFORE, for good and valuable consideration, the receipt and adequacy of which are hereby acknowledged, You and Brainlab agree as follows:
1. Definitions. Capitalized terms used herein without definition in this BAA shall have the respective meanings assigned to such terms by HIPAA.
2. Effect. The provisions of this BAA shall control with respect to PHI that Business Associate receives from or on behalf of Covered Entity.
3. Obligations of Business Associate.Business Associate shall maintain the confidentiality and security of such PHI as required of Business Associate by applicable laws and regulations, including HIPAA. Business Associate covenants and agrees to the following:
Business Associate shall use appropriate safeguards, and comply with Subpart C of 45 C.F.R. Part 164 with respect to electronic PHI, to prevent the use or disclosure of PHI for purposes other than those permitted in Section 4 of this BAA.
(a) If Business Associate becomes aware of a use or disclosure of PHI in violation of this BAA by Business Associate or by a third party to which Business Associate disclosed PHI, Business Associate shall report any such use or disclosure to Covered Entity without unreasonable delay.
(b) Business Associate shall report any successful Security Incident involving PHI of which it becomes aware to Covered Entity in writing without unreasonable delay [and if practicable within thirty (30) business days]. The parties acknowledge and agree that this section constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below) for which no additional notice to Covered Entity shall be required. "Unsuccessful Security Incidents" shall include, but not be limited to, pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of PHI.
(c) Business Associate shall, following the discovery of a Breach of Unsecured PHI, notify the Covered Entity of such Breach in accordance with 45 C.F.R. § 164.410 without unreasonable delay, but in no case later than sixty (60) days after discovery of the Breach.
4. Permissible Uses and Disclosures of PHI.
4.1 Use and Disclosure by Business Associate Generally.
Business Associate may use and/or disclose PHI received from or on behalf of Covered Entity, as permitted or required to perform the Services, as permitted by this BAA, and/or as Required by Law, but it shall not otherwise use or disclose any PHI. Business Associate shall not use or disclose PHI in a manner that would be in violation of HIPAA if done by Covered Entity. Business Associate is permitted to use or disclose PHI as set forth below:
(a) Business Associate may use PHI internally for its proper management and administrative services or to carry out its legal responsibilities, and as authorized by Covered Entity to perform the Services and this BAA;
(b) Business Associate may disclose PHI to a third party for Business Associate's proper management and administration or to carry out its legal responsibilities, provided that the disclosure is Required by Law or Business Associate obtains reasonable assurances from the third party to whom the PHI is to be disclosed that the third party will (1) protect the confidentiality of the PHI, (2) only use or further disclose the PHI as Required by Law or for the purpose for which the PHI was disclosed to the third party, and (3) notify Business Associate of any instances of which the person is aware in which the confidentiality of the PHI has been breached;
(c) Business Associate may use PHI to provide data aggregation services relating to the health care operations of Covered Entity; and
(d) Business Associate may de-identify PHI, consistent with applicable HIPAA requirements.
4.2 Disclosure to Third Parties.
Business Associate may disclose PHI of Covered Entity that is created or received by Business Associate on behalf of Covered Entity under this BAA to agents and subcontractors Business Associate retains to assist it in the performance of the Services to Covered Entity if and only if all such agents and subcontractors agree to the same or similar requirements and restrictions with respect to the PHI as are set forth herein. Business Associate shall ensure that any such agent or subcontractor to whom it discloses electronic PHI agrees to implement reasonable and appropriate safeguards to protect such information in compliance with HIPAA.
5. Patient Rights With Respect To PHI.
5.1 Access to Information.
Within fifteen (15) business days of a written request by Covered Entity for access to PHI about an Individual contained in any Designated Record Set of Covered Entity maintained by Business Associate, if any, Business Associate shall make available to Covered Entity such PHI for so long as Business Associate maintains such information in the Designated Record Set. If Business Associate receives a request for access to PHI directly from an Individual, Business Associate shall direct the Individual to contact Covered Entity directly.
5.2 Availability of PHI for Amendment.
Within fifteen (15) business days of receipt of a written request from Covered Entity for the amendment of an Individual's PHI contained in any Designated Record Set of Covered Entity maintained by Business Associate, if any, Business Associate shall provide such information to Covered Entity for amendment and incorporate any such amendments in the PHI (for so long as Business Associate maintains such information in the Designated Record Set) as required by 45 C.F.R. §164.526. If Business Associate receives a request for amendment to PHI directly from an Individual, Business Associate shall direct the Individual to contact Covered Entity directly.
5.3 Accounting of Disclosures.
Within fifteen (15) business days of written notice by Covered Entity to Business Associate that it has received a request for an accounting of disclosures of PHI (other than disclosures to which an exception to the accounting requirement applies under HIPAA), Business Associate shall make available to Covered Entity such information as is in Business Associate's possession and is required for Covered Entity to make the accounting required by 45 C.F.R. §164.528.
6. Availability of Books and Records.
Business Associate shall make Business Associate's internal practices, books and records relating to the use and disclosure of PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, available to the Secretary of Health and Human Services for purposes of determining and facilitating Business Associate's and Covered Entity's compliance with HIPAA.
7. Obligations of Covered Entity.
7.1 Covered Entity shall not cause Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA if done directly by Covered Entity.
7.2 Covered Entity represents that, to the extent Covered Entity provides PHI to Business Associate, such PHI is the minimum necessary PHI for the accomplishment of Business Associate's purpose.
7.3 Covered Entity represents that, to the extent Covered Entity provides PHI to Business Associate, Covered Entity has obtained the consents, authorizations and/or other forms of legal permission required under HIPAA and other applicable law.
7.4 Covered Entity shall implement reasonable and appropriate measures to ensure that PHI and electronic PHI are disclosed, provided or transmitted to Business Associate only in a secure manner including through the use of a technology or methodology standard that renders PHI unusable, unreadable, or indecipherable to unauthorized individuals.
7.5 Covered Entity shall indemnify and hold Business Associate, its affiliates and subsidiaries, and their respective directors, officers, employees and subcontractors harmless from and against any damages, costs, liabilities, expenses and settlement amounts incurred in connection with a breach by Covered Entity of this Section 7.
8. Termination and Expiration of BAA.
The term of this BAA shall be effective as of the date when Your membership for Quentry is activated ("Effective Date"), and shall terminate upon termination of Your membership.
8.2 Termination for Failure to Comply.
Covered Entity may terminate the Services immediately upon failure of Business Associate to cure a material breach of this BAA within 30 days of receipt of written notice to Business Associate if Covered Entity determines that Business Associate has violated a material term of this BAA. This BAA may be terminated by Business Associate upon 30 days written notice to the Covered Entity, if Business Associate believes that the requirements of any law, legislation, consent decree, judicial action, governmental regulation or agency opinion, enacted, issued, or otherwise effective after the Effective Date and applicable to the PHI or to this BAA, cannot be met by Business Associate in a commercially reasonable manner and without significant additional expense.
8.3 Return of PHI upon Termination or Expiration.
Upon termination or expiration of this BAA, Business Associate shall destroy all PHI received from, created or received by Business Associate on behalf of, Covered Entity to Covered Entity. If Business Associate reasonably determines that such destruction is not feasible, Business Associate will extend the protections of this BAA to the PHI and limit further uses and disclosures to those purposes that make the return or destruction of such PHI infeasible.
8.4 Binding Effect.
Except as otherwise provided herein, the terms and conditions of the BAA shall remain in full force and effect following termination of the BAA.
Upon enactment of any applicable law or regulation affecting the use or disclosure of PHI, or the publication of any interpretative policy or opinion of any government agency charged with the enforcement of any such law or regulation, Covered Entity, by written notice to Business Associate, may request amendment of this BAA in such manner as Covered Entity reasonably determines necessary to comply with such law or regulation to the extent such enactment is directly applicable and enforceable against Business Associate; provided, however, that to the extent such amendment causes Business Associate to incur a material increase in the costs associated with performance of the Services, the parties shall meet and negotiate in good faith to make any adjustments to the fees for the Services. In the event the parties, after good faith negotiations, cannot reach agreement regarding the amount of such adjustments, either party may terminate the Services by giving the other party at least seven (7) days prior written notice of its intent to terminate.
9.2 Entire Agreement.
This BAA is the entire and sole understanding of the parties hereto with respect to the subject matter hereof, and supersedes all prior negotiations, understandings, transactions, or communication, whether oral, or written, including electronic form. If any provision or part thereof is found to be invalid, the remaining provisions shall remain in full force and effect. Any other terms or conditions contained in any other document with respect to PHI shall not apply.
9.3 Successors and Assigns.
This BAA will inure to the benefit of and be finding upon the successors and assigns of the parties. This BAA is not assignable by any party without the prior written consent of the other party. Notwithstanding the foregoing, Business Associate may assign this BAA in its entirety, without consent of the other party, to its affiliate or in connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all of its assets not involving a direct competitor of the other party.
9.4 No Third Party Beneficiaries.
Nothing express or implied in this BAA is intended to confer, nor shall anything herein confer, upon any person other than Covered Entity, Business Associate, and their respective successors or assigns, any rights, remedies, obligations, or liabilities whatsoever.
9.5 Independent Contractors.
None of the provisions of this Agreement are intended to created, nor will they be deemed to create, any relationship between the parties other than that of independent parties contracting with each other solely for the purposes of effecting the provisions of this BAA and any other agreements between the parties evidencing their business relationship.
By accepting this BAA without raising any objection, You signify Your agreement with and understanding of the terms set forth herein.
Contacts: If you have any questions, concerns, or suggestions regarding this BAA, please contact us at firstname.lastname@example.org.