This BUSINESS ASSOCIATE AGREEMENT (this “BAA”), by and between EASYRX LLC, a
Georgia limited liability company (“Business Associate”) and your Business (“Covered Entity”) is
entered into and made effective as of the date the authorized agent of Business Associate clicks the
“Accept” button below (the “Effective Date”).
BY CLICKING THE “ACCEPT” BUTTON, COVERED ENTITY ACKNOWLEDGES AND AGREES
THAT IT HAS READ ALL OF THE TERMS AND CONDITIONS OF THIS AGREEMENT AND
AGREES TO BE BOUND BY ALL TERMS AND CONDITIONS.
The person clicking the ACCEPT button hereby represents to EasyRx, LLC that he or she is at least
18 years old and is competent and fully authorized to enter into this binding agreement on behalf of
the Business Associate.
WHEREAS, Covered Entity and Business Associate are parties to an agreement or various
agreements whereby Business Associate provides certain services to Covered Entity (“Agreement”).
WHEREAS, Business Associate’s performance of the Agreement may require Business Associate to
create, receive, maintain, or transmit Protected Health Information or financial accounts that are
subject to the federal law and regulations with respect to privacy, security, and breach notification
under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), including all pertinent
regulations issued by the agencies of the United States Department of Health and Human Services
(45 C.F.R. Parts 160 and 164), as amended by Subtitle D of the Health Information Technology for
Economic and Clinical Health Act (HITECH Act), Title XIII of Division A and Title IV of Division B of
the American Recovery and Reinvestment Act of 2009 (Pub. L. 111-5) (collectively referred to
hereinafter as the “HIPAA Standards”); and
WHEREAS, the parties are committed to complying with the HIPAA Standards;
NOW, THEREFORE, in consideration of the mutual promises and obligations set forth herein, and
other good and valuable consideration, the receipt and sufficiency of which the parties acknowledge
the parties hereby agree as follows:
1. General. This BAA sets forth the terms and conditions under which Protected Health
Information or Electronic Protected Health Information that Business Associate creates,
receives, maintains, or transmits on behalf of the Covered Entity will be handled
between the Business Associate and the Covered Entity, as well as with third parties
during the term of the Agreement and following its termination. In the event of an
inconsistency between the terms of the Agreement and the terms of this BAA, the terms
of this BAA shall control in regard to the handling of Protected Health Information or
Electronic Protected Health Information.
2. Definitions. When used in this BAA, the following terms have the following meanings:
a. “Protected Health Information” or “PHI” has the same meaning as the term
“protected health information” in 45 C.F.R. § 160.103, limited to the
information created, received, maintained, or transmitted on behalf of
b. “Electronic Protected Health Information” has the same meaning as the
term “electronic protected health information” in 45 C.F.R. § 160.103,
limited to the information created, received, maintained, or transmitted on
behalf of Covered Entity.
c. “Unsecured Protected Health Information” or “Unsecured PHI” means
Protected Health Information that is not secured through the use of a
technology or methodology specified by the Secretary in guidance or as
otherwise defined in Section 13402(h) of the HITECH Act.
d. “Privacy Rule” means the Standards for Privacy of Individually Identifiable
Health Information at 45 C.F.R. part 160, part 162 and part 164, subparts
A and E.
e. “Security Rule” means the Security Standards for the Protection of
Electronic Protected Health Information at 45 C.F.R. part 160 and part
164, subpart C.
f. “Secretary” means the Secretary of the Department of Health and Human
Services or his/her designee.
g. Terms used, but not otherwise defined, in this BAA shall have the same
meaning as those terms in the HIPAA Standards and regulations.
h. The term Protected Health Information or PHI shall include both Protected
Health Information and Electronic Protected Health Information (“ePHI”);
however, ePHI shall be used when only Electronic Protected Health
Information is being referenced.
3. Obligations and Activities of Business Associate.
a. Business Associate agrees not to use or disclose Protected Health
Information other than as permitted or required by the Agreement
(including this BAA) or as Required By Law.
b. Business Associate will implement administrative, physical, and technical
safeguards set forth in 45 CFR §§ 164.308, 164.310, and 164.312 that
reasonably and appropriately protect the confidentiality, integrity, and
availability of any Protected Health Information that it creates, receives,
maintains or transmits on behalf of Covered Entity, and in accordance with
45 C.F.R. § 164.316, implement and maintain reasonable and appropriate
policies and procedures to enable it to comply with the requirements
outlined in 45 CFR §§ 164.308, 164.310, and 164.312.
c. Business Associate agrees to mitigate, to the extent practicable, any
harmful effect that is known to Business Associate of a use or disclosure of
Protected Health Information by Business Associate in violation of the
requirements of this BAA.
d. Business Associate agrees to report promptly, no later than five (5) days
after discovery, to Covered Entity any use or disclosure of the Protected
Health Information not provided for by this BAA of which it becomes
aware. For uses or disclosures that represent breaches of unsecured
Protected Health Information, Business Associate shall report the
information required by 45 C.F.R. 164.410 without unreasonable delay,
and in no case later than thirty (30) days after discovery.
e. Business Associate agrees to ensure that any subcontractor that creates,
receives, maintains, or transmits Protected Health Information agrees to
the same restrictions, conditions, and requirement that apply through this
BAA to Business Associate with respect to such information. Business
Associate shall perform appropriate due diligence on each subcontractor
prior to permitting a Subcontractor to receive, create, maintain, or transmit
Protected Health Information.
f. Business Associate agrees to provide access, within ten (10) days of
receiving a written request from Covered Entity, to Protected Health
Information in a Designated Record Set to Covered Entity or, as directed
by Covered Entity, to an Individual in order to meet the requirements under
45 C.F.R. § 164.524, and any subsequent legislation or guidance
regarding an Individual’s right to access his or her Protected Health
Information, including, but not limited to, the requirements of Section
13405 of HITECH Act and the regulations thereunder. In the event any
Individual requests access to Protected Health Information directly from
Business Associate, Business Associate shall forward such request to
Covered Entity within two (2) days.
g. Business Associate agrees to make any amendment(s) to Protected
Health Information in a Designated Record Set that the Covered Entity
directs or agrees to pursuant to 45 C.F.R. § 164.526 and any subsequent
legislation or guidance regarding an Individual’s right to request
amendment of his or her Protected Health Information within thirty (30)
days of receiving a written request from Covered Entity. In the event any
Individual requests amendment of Protected Health Information directly
from Business Associate, Business Associate shall forward such request
to Covered Entity within five (5) days.
h. Business Associate agrees to comply with the applicable requirements of
the Security Rule and to ensure that any subcontractor that creates,
receives, maintains, or transmits Protected Health Information agrees to
comply with the applicable requirements the Security Rule.
i. Business Associate agrees to make its internal practices, books, and
records, including policies and procedures, relating to the use and
disclosure of Protected Health Information received from, or created or
received by Business Associate on behalf of, Covered Entity available to
the Covered Entity within ten (10) days of receiving a written request from
Covered Entity, or to the Secretary, in a time and manner designated by
the Secretary, for purposes of the Secretary’s determining Covered Entity’s
compliance with the Privacy Rule and Security Rule. Nothing in this
section shall be construed as a waiver of any legal privilege or of any
protections for trade secrets or confidential commercial information.
Business Associate shall immediately notify Covered Entity of such
request from the Secretary pertaining to an investigation of Covered
Entity’s compliance with HIPAA.
j. Business Associate agrees to document uses and disclosures of Protected
Health Information and information related to such disclosures as would be
required for Covered Entity to respond to a request by an Individual for an
accounting of disclosures of Protected Health Information and/or an
access report in accordance with 45 C.F.R. § 164.528 and any subsequent
legislation or guidance regarding an Individual’s right to an accounting of
the disclosures of his or her Protected Health Information or access report,
including but not limited to, the requirements of Section 13405 of HITECH
Act and the regulations thereunder. Nothing in this section shall require
documenting PHI as necessary to create an access report unless 45
C.F.R. § 164.528 is amended to require such a report.
k. To the extent Business Associate is to carry out one or more of Covered
Entity’s obligation(s) under Subpart E of 45 C.F.R Part 164, including but
not limited to provision of Covered Entity’s notice of privacy practices,
Business Associate agrees to comply with the requirements of Subpart E
that apply to the Covered Entity in the performance of such obligation(s).
4. Permitted Uses and Disclosures by Business Associate.
a. Except as otherwise limited in this BAA, Business Associate may use or
disclose Protected Health Information to perform functions, activities, or
services for, or on behalf of, Covered Entity as specified in the Agreement,
provided that such use or disclosure would not violate the Privacy Rule if
done by Covered Entity.
b. Except as otherwise limited in this BAA, Business Associate may disclose
Protected Health Information for the proper management and
administration or to carry out the legal responsibilities of the Business
Associate, provided that disclosures are Required By Law, or (i) Business
Associate obtains reasonable assurances from the person to whom the
information is disclosed that it will remain confidential and used or further
disclosed only as Required By Law or for the purpose for which it was
disclosed to the person, and the person notifies the Business Associate of
any instances of which it is aware in which the confidentiality of the
information has been breached; and (ii) Business Associate obtains
Covered Entity’s prior written approval for such disclosures involving 500
or more Individuals.
c. Except as otherwise limited in this BAA, Business Associate may use
Protected Health Information to provide Data Aggregation services to
Covered Entity as permitted by 45 C.F.R. § 164.504(e)(2) (i)(B).
d. Business Associate may use Protected Health Information to report
violations of law to appropriate Federal and State authorities, consistent
with 45 C.F.R. § 164.502(j)(1).
e. Business Associate may not use Protected Health Information to create
de-identified health information under 45 C.F.R. § 164.514(b) of the
Privacy Rule unless necessary to perform functions, activities, or services
for, or on behalf of, Covered Entity as specified in the Agreement.
5. Term and Termination.
a. Term. The term of this BAA shall be effective upon execution, and shall
terminate when the Agreement is terminated.
b. Termination for Cause. Upon either Party’s knowledge of a material
breach by the other Party of its obligations under this Agreement, the nonbreaching
Party shall, within twenty (20) days of that determination, notify
the breaching Party, and the breaching Party shall have thirty (30) days
from receipt of that notice to cure the breach or end the violation. If the
breaching Party fails to take reasonable steps to effect such a cure within
such time period, the non-breaching Party may terminate this Agreement
and the Underlying Agreements without penalty. Where either Party has
knowledge of a material breach by the other Party and determines that
cure is infeasible, prior notice of the breach is not required, and the nonbreaching
Party shall terminate the portion of the Underlying Agreements
affected by the breach without penalty. Where neither cure nor termination
is feasible, the non-breaching Party shall report the violation to the
c. Effect of Termination. Upon termination of this Agreement, the parties
hereby acknowledge that the return or destruction of PHI received by the
Business Associate from Covered Entity is likely not feasible, and that,
therefore Business Associate may retain a copy of such Protected Health
Information provided that: (i) the provisions of this BAA shall continue to
apply to any such information retained following cancellation, termination,
expiration, or other conclusion of the Agreement; and (ii) Business
Associate shall limit uses and disclosures of such PHI to those purposes
that make the return or destruction thereof not feasible, for as long as
Business Associate maintains such PHI.
a. Regulatory References. A reference in this BAA to a section of the law
means the section as in effect or as amended.
b. Amendment. The Parties agree to take such action as is necessary to
amend this BAA from time to time as is necessary for either Party or both
Parties to comply with the requirements of the HIPAA Standards.
c. Survival. The respective rights and obligations of the parties which by
their nature are intended to survive the expiration or termination of this
BAA shall survive.
d. Interpretation. Any ambiguity in this BAA shall be resolved to permit
Covered Entity to comply with the HIPAA Standards.
e. Construction of Terms. The terms of this BAA shall be construed in light
of any applicable interpretation or guidance that may be issued from time
to time on the HIPAA Standards by the Department of Health and Human
Services or its Office of Civil Rights.
f. No Third Party Beneficiaries. Nothing in this Agreement shall confer
upon any person other than the parties and their respective successors or
assigns, any rights, remedies, obligations, or liabilities whatsoever.
g. Contradictory Terms. Any provision of the Agreement that is directly
contradictory to one or more terms of this BAA shall be superseded by the
terms of this BAA as of the Effective Date of this BAA to the extent and
only to the extent of the contradiction, only for the purpose of the Covered
Entity’s compliance with the HIPAA Standards, and only to the extent that
it is reasonably impossible to comply with both the conflicting term and the
terms of this BAA.
h. HITECH Act Applicability. To the extent not referenced or incorporated
herein, requirements applicable to Business Associate and Covered Entity
under the HITECH Act are hereby incorporated by reference into this BAA.
Business Associate and Covered Entity agree to comply with applicable
requirements imposed under the HITECH Act, as of the effective date of
each such requirement.
i. Ownership of Information. The Parties agree that the Protected Health
Information and Personal Information is, and shall remain, the property of
Covered Entity or its clients or customers.
j. Indemnification. Each party shall indemnify and hold the other harmless
from and against all claims, liabilities, judgments, fines, assessments,
penalties, awards, or other expenses, of any kind or nature whatsoever,
including, without limitation, attorneys’ fees, expert witness fees, and costs
of investigation, litigation or dispute resolution, relating to or arising out of
any breach of this BAA, or any breach, by that Party or its subcontractors
k. Insurance. Business Associate shall maintain appropriate and adequate
insurance coverage to cover Business Associate’s obligations pursuant to
this BAA, in amounts not less than may be required by the Agreement.