Business Associate Agreement For PatientClix “Covered Entity” Customers
These Standard HIPAA Business Associate Agreement Terms and Conditions (“HIPAA Addendum”) shall be incorporated into the Master Service Agreement for Customers that are Covered Entities (as defined below) that provide Protected Health Information (“PHI”)(as defined below) to PatientClix in connection with the PatientClix For Local Business and Enterprise services they have purchased. These terms supplement the purchase agreement between PatientClix and Customers (“Underlying Agreement”) in order to comply with the federal Standards for Hipaa of Individually Identifiable Health Information, located at 45 C.F.R. Part 160 and Part 164, Subparts A through E (“Hipaa Rule”) and the Health Information Technology for Economic and Clinical Health Act, Public Law 111-005 (the “HITECH Act”).
1. CATCH-ALL DEFINITIONS:
The following terms used in this Agreement shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Protected Health Information, Required By Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use.
2. SPECIFIC DEFINITIONS:
Terms used, but not otherwise defined, in this HIPAA Addendum shall have the same meaning as those terms in the Privacy Rule or the HITECH Act.
A. “Breach” shall have the same meaning given to such term under 42 U.S.0 § 17921.
B. “Business Associate” shall generally have the same meaning as the term “business associate” at 45 CFR 160.103, and in reference to the party to this agreement, shall mean PatientClix.
C. “Covered Entity” shall generally have the same meaning as the term “covered entity” at 45 CFR 160.103, and in reference to the party to this agreement, shall mean [Insert Name of Covered Entity].
D. “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.
E. “Individual” shall have the same meaning as the term “individual” in 45 C.F.R. §160.103 and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. § 164.502(g).
F. “Protected Health Information” or “PHI” shall have the same meaning as the term “protected health information” in 45 C.F.R. § 160.103, limited to the information created or received by Business Associate from or on behalf of the Covered Entity.
G. “Required by Law” shall have the same meaning as the term “required by law” in 45 C.F.R. §160.103.
H. “Unsecured PHI” shall have the same meaning given to such term under the HITECH Act and any guidance issued pursuant to this act.
3. OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE:
PatientClix agrees to:
4. PERMITTED USES AND DISCLOSURES BY PATIENTCLIX:
5. PROVISIONS FOR COVERED ENTITY TO INFORM BUSINESS ASSOCIATE OF PRIVACY PRACTICES AND RESTRICTIONS:
6. TERM AND TERMINATION:
1. Term: The Term of this HIPAA Addendum shall be effective as of the first day that the Covered Entity provides PHI to PatientClix and shall terminate when all of the PHI provided by the Covered Entity to PatientClix, or created or received by PatientClix on behalf of the Covered Entity, is destroyed or returned to the Covered Entity, or if it is infeasible to return or destroy PHI, protections are extended to such information in accordance with the termination provisions in this Section.
2. Termination for Cause: PatientClix authorizes termination of this Agreement by the Covered Entity, if the Covered Entity determines PatientClix has violated a material term of the Agreement:
A. Provide 60 days advance written notice specifying the nature of the breach or violation to PatientClix. PatientClix shall have 60 days from the date of the notice in which to remedy the breach or violation. If such corrective action is not taken within the time specified, this HIPAA Addendum and the Underlying Agreement shall terminate at the end of the 60 day period without further notice or demand.
B. Immediately terminate this HIPAA Addendum and the Underlying Agreement if PatientClix has breached a material term of this HIPAA Addendum and cure is not possible.
C. Report the violation to the Secretary if neither cure of the breach nor termination of this HIPAA Addendum and the Underlying Agreement are feasible.
3. Obligation of PatientClix Upon Termination:
A. Upon termination of this HIPAA Addendum or the Underlying Agreement, for any reason, PatientClix shall return or destroy all PHI received from Covered Entity, or created,maintains or received by PatientClix on behalf of Covered Entity. This provision shall apply to PHI that is in the possession of subcontractors or agents of PatientClix. PatientClix shall retain no copies of the PHI.
B. Upon termination of this Agreement for any reason, PatientClix, with respect to PHI received from Covered Entity, or created, maintained, or received by PatientClix on behalf of the Covered Entity, shall:
C. In the event that PatientClix determines that returning or destroying PHI is not feasible, PatientClix shall notify Covered Entity in writing of the conditions that make return or destruction infeasible. If return or destruction of the PHI is infeasible, PatientClix shall extend the protections of this HIPAA Addendum to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as PatientClix maintains such PHI.
7. MISCELLANEOUS IN ADDITION TO TERMS AND CONDITIONS: