fbpx
1-(866) 850-7195 info@jenmarinternational.com

BUSINESS ASSOCIATE AGREEMENT

This BUSINESS ASSOCIATE AGREEMENT (this “BAA”), by and between EASYRX LLC, a

Georgia limited liability company (“Business Associate”) and your Business (“Covered Entity”) is

entered into and made effective as of the date the authorized agent of Business Associate clicks the

“Accept” button below (the “Effective Date”).

BY CLICKING THE “ACCEPT” BUTTON, COVERED ENTITY ACKNOWLEDGES AND AGREES

THAT IT HAS READ ALL OF THE TERMS AND CONDITIONS OF THIS AGREEMENT AND

AGREES TO BE BOUND BY ALL TERMS AND CONDITIONS.

The person clicking the ACCEPT button hereby represents to EasyRx, LLC that he or she is at least

18 years old and is competent and fully authorized to enter into this binding agreement on behalf of

the Business Associate.

BACKGROUND

WHEREAS, Covered Entity and Business Associate are parties to an agreement or various

agreements whereby Business Associate provides certain services to Covered Entity (“Agreement”).

WHEREAS, Business Associate’s performance of the Agreement may require Business Associate to

create, receive, maintain, or transmit Protected Health Information or financial accounts that are

subject to the federal law and regulations with respect to privacy, security, and breach notification

under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), including all pertinent

regulations issued by the agencies of the United States Department of Health and Human Services

(45 C.F.R. Parts 160 and 164), as amended by Subtitle D of the Health Information Technology for

Economic and Clinical Health Act (HITECH Act), Title XIII of Division A and Title IV of Division B of

the American Recovery and Reinvestment Act of 2009 (Pub. L. 111-5) (collectively referred to

hereinafter as the “HIPAA Standards”); and

WHEREAS, the parties are committed to complying with the HIPAA Standards;

NOW, THEREFORE, in consideration of the mutual promises and obligations set forth herein, and

other good and valuable consideration, the receipt and sufficiency of which the parties acknowledge

the parties hereby agree as follows:

1. General. This BAA sets forth the terms and conditions under which Protected Health

Information or Electronic Protected Health Information that Business Associate creates,

receives, maintains, or transmits on behalf of the Covered Entity will be handled

between the Business Associate and the Covered Entity, as well as with third parties

during the term of the Agreement and following its termination. In the event of an

inconsistency between the terms of the Agreement and the terms of this BAA, the terms

of this BAA shall control in regard to the handling of Protected Health Information or

Electronic Protected Health Information.

2. Definitions. When used in this BAA, the following terms have the following meanings:

a. “Protected Health Information” or “PHI” has the same meaning as the term

“protected health information” in 45 C.F.R. § 160.103, limited to the

information created, received, maintained, or transmitted on behalf of

Covered Entity.

b. “Electronic Protected Health Information” has the same meaning as the

term “electronic protected health information” in 45 C.F.R. § 160.103,

limited to the information created, received, maintained, or transmitted on

behalf of Covered Entity.

c. “Unsecured Protected Health Information” or “Unsecured PHI” means

Protected Health Information that is not secured through the use of a

technology or methodology specified by the Secretary in guidance or as

otherwise defined in Section 13402(h) of the HITECH Act.

d. “Privacy Rule” means the Standards for Privacy of Individually Identifiable

Health Information at 45 C.F.R. part 160, part 162 and part 164, subparts

A and E.

e. “Security Rule” means the Security Standards for the Protection of

Electronic Protected Health Information at 45 C.F.R. part 160 and part

164, subpart C.

f. “Secretary” means the Secretary of the Department of Health and Human

Services or his/her designee.

g. Terms used, but not otherwise defined, in this BAA shall have the same

meaning as those terms in the HIPAA Standards and regulations.

h. The term Protected Health Information or PHI shall include both Protected

Health Information and Electronic Protected Health Information (“ePHI”);

however, ePHI shall be used when only Electronic Protected Health

Information is being referenced.

3. Obligations and Activities of Business Associate.

a. Business Associate agrees not to use or disclose Protected Health

Information other than as permitted or required by the Agreement

(including this BAA) or as Required By Law.

b. Business Associate will implement administrative, physical, and technical

safeguards set forth in 45 CFR §§ 164.308, 164.310, and 164.312 that

reasonably and appropriately protect the confidentiality, integrity, and

availability of any Protected Health Information that it creates, receives,

maintains or transmits on behalf of Covered Entity, and in accordance with

45 C.F.R. § 164.316, implement and maintain reasonable and appropriate

policies and procedures to enable it to comply with the requirements

outlined in 45 CFR §§ 164.308, 164.310, and 164.312.

c. Business Associate agrees to mitigate, to the extent practicable, any

harmful effect that is known to Business Associate of a use or disclosure of

Protected Health Information by Business Associate in violation of the

requirements of this BAA.

d. Business Associate agrees to report promptly, no later than five (5) days

after discovery, to Covered Entity any use or disclosure of the Protected

Health Information not provided for by this BAA of which it becomes

aware. For uses or disclosures that represent breaches of unsecured

Protected Health Information, Business Associate shall report the

information required by 45 C.F.R. 164.410 without unreasonable delay,

and in no case later than thirty (30) days after discovery.

e. Business Associate agrees to ensure that any subcontractor that creates,

receives, maintains, or transmits Protected Health Information agrees to

the same restrictions, conditions, and requirement that apply through this

BAA to Business Associate with respect to such information. Business

Associate shall perform appropriate due diligence on each subcontractor

prior to permitting a Subcontractor to receive, create, maintain, or transmit

Protected Health Information.

f. Business Associate agrees to provide access, within ten (10) days of

receiving a written request from Covered Entity, to Protected Health

Information in a Designated Record Set to Covered Entity or, as directed

by Covered Entity, to an Individual in order to meet the requirements under

45 C.F.R. § 164.524, and any subsequent legislation or guidance

regarding an Individual’s right to access his or her Protected Health

Information, including, but not limited to, the requirements of Section

13405 of HITECH Act and the regulations thereunder. In the event any

Individual requests access to Protected Health Information directly from

Business Associate, Business Associate shall forward such request to

Covered Entity within two (2) days.

g. Business Associate agrees to make any amendment(s) to Protected

Health Information in a Designated Record Set that the Covered Entity

directs or agrees to pursuant to 45 C.F.R. § 164.526 and any subsequent

legislation or guidance regarding an Individual’s right to request

amendment of his or her Protected Health Information within thirty (30)

days of receiving a written request from Covered Entity. In the event any

Individual requests amendment of Protected Health Information directly

from Business Associate, Business Associate shall forward such request

to Covered Entity within five (5) days.

h. Business Associate agrees to comply with the applicable requirements of

the Security Rule and to ensure that any subcontractor that creates,

receives, maintains, or transmits Protected Health Information agrees to

comply with the applicable requirements the Security Rule.

i. Business Associate agrees to make its internal practices, books, and

records, including policies and procedures, relating to the use and

disclosure of Protected Health Information received from, or created or

received by Business Associate on behalf of, Covered Entity available to

the Covered Entity within ten (10) days of receiving a written request from

Covered Entity, or to the Secretary, in a time and manner designated by

the Secretary, for purposes of the Secretary’s determining Covered Entity’s

compliance with the Privacy Rule and Security Rule. Nothing in this

section shall be construed as a waiver of any legal privilege or of any

protections for trade secrets or confidential commercial information.

Business Associate shall immediately notify Covered Entity of such

request from the Secretary pertaining to an investigation of Covered

Entity’s compliance with HIPAA.

j. Business Associate agrees to document uses and disclosures of Protected

Health Information and information related to such disclosures as would be

required for Covered Entity to respond to a request by an Individual for an

accounting of disclosures of Protected Health Information and/or an

access report in accordance with 45 C.F.R. § 164.528 and any subsequent

legislation or guidance regarding an Individual’s right to an accounting of

the disclosures of his or her Protected Health Information or access report,

including but not limited to, the requirements of Section 13405 of HITECH

Act and the regulations thereunder. Nothing in this section shall require

documenting PHI as necessary to create an access report unless 45

C.F.R. § 164.528 is amended to require such a report.

k. To the extent Business Associate is to carry out one or more of Covered

Entity’s obligation(s) under Subpart E of 45 C.F.R Part 164, including but

not limited to provision of Covered Entity’s notice of privacy practices,

Business Associate agrees to comply with the requirements of Subpart E

that apply to the Covered Entity in the performance of such obligation(s).

4. Permitted Uses and Disclosures by Business Associate.

a. Except as otherwise limited in this BAA, Business Associate may use or

disclose Protected Health Information to perform functions, activities, or

services for, or on behalf of, Covered Entity as specified in the Agreement,

provided that such use or disclosure would not violate the Privacy Rule if

done by Covered Entity.

b. Except as otherwise limited in this BAA, Business Associate may disclose

Protected Health Information for the proper management and

administration or to carry out the legal responsibilities of the Business

Associate, provided that disclosures are Required By Law, or (i) Business

Associate obtains reasonable assurances from the person to whom the

information is disclosed that it will remain confidential and used or further

disclosed only as Required By Law or for the purpose for which it was

disclosed to the person, and the person notifies the Business Associate of

any instances of which it is aware in which the confidentiality of the

information has been breached; and (ii) Business Associate obtains

Covered Entity’s prior written approval for such disclosures involving 500

or more Individuals.

c. Except as otherwise limited in this BAA, Business Associate may use

Protected Health Information to provide Data Aggregation services to

Covered Entity as permitted by 45 C.F.R. § 164.504(e)(2) (i)(B).

d. Business Associate may use Protected Health Information to report

violations of law to appropriate Federal and State authorities, consistent

with 45 C.F.R. § 164.502(j)(1).

e. Business Associate may not use Protected Health Information to create

de-identified health information under 45 C.F.R. § 164.514(b) of the

Privacy Rule unless necessary to perform functions, activities, or services

for, or on behalf of, Covered Entity as specified in the Agreement.

5. Term and Termination.

a. Term. The term of this BAA shall be effective upon execution, and shall

terminate when the Agreement is terminated.

b. Termination for Cause. Upon either Party’s knowledge of a material

breach by the other Party of its obligations under this Agreement, the nonbreaching

Party shall, within twenty (20) days of that determination, notify

the breaching Party, and the breaching Party shall have thirty (30) days

from receipt of that notice to cure the breach or end the violation. If the

breaching Party fails to take reasonable steps to effect such a cure within

such time period, the non-breaching Party may terminate this Agreement

and the Underlying Agreements without penalty. Where either Party has

knowledge of a material breach by the other Party and determines that

cure is infeasible, prior notice of the breach is not required, and the nonbreaching

Party shall terminate the portion of the Underlying Agreements

affected by the breach without penalty. Where neither cure nor termination

is feasible, the non-breaching Party shall report the violation to the

Secretary.

c. Effect of Termination. Upon termination of this Agreement, the parties

hereby acknowledge that the return or destruction of PHI received by the

Business Associate from Covered Entity is likely not feasible, and that,

therefore Business Associate may retain a copy of such Protected Health

Information provided that: (i) the provisions of this BAA shall continue to

apply to any such information retained following cancellation, termination,

expiration, or other conclusion of the Agreement; and (ii) Business

Associate shall limit uses and disclosures of such PHI to those purposes

that make the return or destruction thereof not feasible, for as long as

Business Associate maintains such PHI.

6. Miscellaneous.

a. Regulatory References. A reference in this BAA to a section of the law

means the section as in effect or as amended.

b. Amendment. The Parties agree to take such action as is necessary to

amend this BAA from time to time as is necessary for either Party or both

Parties to comply with the requirements of the HIPAA Standards.

c. Survival. The respective rights and obligations of the parties which by

their nature are intended to survive the expiration or termination of this

BAA shall survive.

d. Interpretation. Any ambiguity in this BAA shall be resolved to permit

Covered Entity to comply with the HIPAA Standards.

e. Construction of Terms. The terms of this BAA shall be construed in light

of any applicable interpretation or guidance that may be issued from time

to time on the HIPAA Standards by the Department of Health and Human

Services or its Office of Civil Rights.

f. No Third Party Beneficiaries. Nothing in this Agreement shall confer

upon any person other than the parties and their respective successors or

assigns, any rights, remedies, obligations, or liabilities whatsoever.

g. Contradictory Terms. Any provision of the Agreement that is directly

contradictory to one or more terms of this BAA shall be superseded by the

terms of this BAA as of the Effective Date of this BAA to the extent and

only to the extent of the contradiction, only for the purpose of the Covered

Entity’s compliance with the HIPAA Standards, and only to the extent that

it is reasonably impossible to comply with both the conflicting term and the

terms of this BAA.

h. HITECH Act Applicability. To the extent not referenced or incorporated

herein, requirements applicable to Business Associate and Covered Entity

under the HITECH Act are hereby incorporated by reference into this BAA.

Business Associate and Covered Entity agree to comply with applicable

requirements imposed under the HITECH Act, as of the effective date of

each such requirement.

i. Ownership of Information. The Parties agree that the Protected Health

Information and Personal Information is, and shall remain, the property of

Covered Entity or its clients or customers.

j. Indemnification. Each party shall indemnify and hold the other harmless

from and against all claims, liabilities, judgments, fines, assessments,

penalties, awards, or other expenses, of any kind or nature whatsoever,

including, without limitation, attorneys’ fees, expert witness fees, and costs

of investigation, litigation or dispute resolution, relating to or arising out of

any breach of this BAA, or any breach, by that Party or its subcontractors

or agents.

k. Insurance. Business Associate shall maintain appropriate and adequate

insurance coverage to cover Business Associate’s obligations pursuant to

this BAA, in amounts not less than may be required by the Agreement.

Sign Up for a Jenmar Webinar