Access Required

The document(s) published on this site are confidential and proprietary to Prompt Therapy Solutions, Inc.

By entering an access code on this page, you acknowledge the confidential and proprietary nature of the document(s) and agree not to share or provide access to such document(s) to any third party without Prompt's express written consent.

logo
RCM Services

BUSINESS ASSOCIATE AGREEMENT 

This Business Associate Agreement (“BAA”) is made by and between Prompt Health Services, LLC, on behalf of itself and its subsidiaries (“Business Associate”) and Customer (“Covered Entity”) pursuant to the Agreement. Covered Entity and Business Associate mutually agree to the terms of this BAA in order to comply with the HIPAA Rules, as defined below. 

  1. 1. Definitions

    1. 1.1. Breach” shall have the same meaning as the term “Breach” in 45 C.F.R. § 164.402.

    2. 1.2. HIPAA” shall mean the Health Insurance Portability and Accountability Act of 1996, as amended by Subtitle D of the Health Information Technology for Economic and Clinical Health Act, Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009 (Pub. L. No. 111-5) (the “HITECH Act”) and the federal regulations (“HIPAA Rules”) published at 45 C.F.R. Parts 160 and 164.

    3. 1.3. Privacy Rule” means the privacy regulations at 45 C.F.R Part 160 and 45 C.F.R. Part 164, Subparts A and E, as they exist now or as they may be amended.

    4. 1.4. Protected Health Information” (“PHI”) shall have the same meaning as such term as defined in 45 C.F.R. § 160.103, but limited to information that is either created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity or received by Business Associate from Covered Entity. 

    5. 1.5. Successful Security Incident” shall mean any Security Incident (as defined in 45 C.F.R. § 164.304) that results in the unauthorized use, access, disclosure, modification, or destruction of electronic PHI.

  2. 2. All capitalized terms used in this BAA and not defined elsewhere herein or in the Agreement shall have the same meaning as those terms as used or defined in the HIPAA Rules.

  3. 3. Obligations of Business Associate and Permitted Uses and Disclosures by Business Associate

    1. 3.1. Compliance. Business Associate agrees to satisfy and comply with the HIPAA Rules concerning the confidentiality, privacy, and security of PHI that apply to business associates. To the extent the Business Associate is to carry out a Covered Entity’s obligation under 45 C.F.R. Part 164 Subpart E, it shall comply with the requirements of that Subpart that apply to the Covered Entity in the performance of such obligation.

    2. 3.2. Uses and Disclosures of PHI. Business Associate shall not use or disclose PHI except as permitted by this BAA or as Required by Law. Subject to the limitations set forth in this BAA, Business Associate may use and disclose PHI as necessary to provide its services as described in the Agreement.

    3. 3.3. Management and Administration of Business Associate. Subject to the limitations set forth in this BAA, Business Associate may use PHI if necessary for its proper management and administration or to carry out its legal responsibilities. In addition, Business Associate may disclose PHI as necessary for its proper management and administration or to carry out its legal responsibilities provided that:

      1. 3.3.1. Any such disclosure is Required by Law; or

      2. 3.3.2. Business Associate obtains reasonable assurances, in the form of a written agreement, from the Person to whom the PHI is disclosed that it will be held confidentially and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the Person; and (2) the Person agrees to immediately notify Business Associate (which shall notify Covered Entity in accordance with this Section) of any instances of which it is aware in which the confidentiality of the PHI has been breached.

    4. 3.4. De-Identification of PHI. Business Associate may de-identify PHI in accordance with 45 C.F.R. §§ 164.154(a)-(c) for any lawful purpose.

    5. 3.5. Data Aggregation Services. Business Associate may provide Data Aggregation services relating to the Health Care Operations of the Covered Entity. 

    6. 3.6. Mitigation. Business Associate agrees to mitigate: (i) any harmful effect resulting from a Successful Security Incident involving PHI or any use or disclosure of PHI in violation of the requirements of this BAA or the HIPAA Rules and (ii) any material risks identified or discovered as a result of a Security Incident that does not result in the unauthorized use, access, disclosure, modification or destruction of electronic PHI.

    7. 3.7. Subcontractors. Business Associate agrees that an agent, including without limitation a Subcontractor, to whom it provides PHI agrees in writing to terms and conditions that are similar to those that apply to Business Associate with respect to such information under this BAA. 

    8. 3.8. Incident Reporting. Business Associate agrees to report any use or disclosure of PHI not permitted by this BAA and any Breach and any Successful Security Incident to Covered Entity within a commercially reasonable period, but in no event later than within fifteen (15) business days, after any such use, disclosure, or Breach is discovered (within the meaning of 45 C.F.R. § 164.410(a)(2)). Such report shall be made by email to notices@prompthealth.com. The parties shall collaborate in good faith to determine if any use or disclosure of PHI not permitted by this BAA, or any Security Incident constitutes a Breach. In the event of a Breach, Business Associate shall provide the information required by 45 C.F.R. § 164.410(c) to the extent available. 

    9. 3.9. Access Requests. Subject to consistency with the nature of the services provided by Business Associate under the Agreement, within fifteen (15) business days of receipt of a request from Covered Entity, Business Associate shall provide to Covered Entity or, at its direction, to an Individual, PHI relating to that Individual held by Business Associate or its agents or Subcontractors in a Designated Record Set in accordance with 45 C.F.R. § 164.524. In the event any Individual requests access to his or her PHI directly from Business Associate, Business Associate shall, within fifteen (15) business days of receipt of such request, forward the request to Covered Entity unless the Privacy Rule requires Business Associate to receive and respond to such requests directly, in which case Business Associate shall respond directly as required by and in accordance with 45 C.F.R. § 164.524, and shall send a copy of such response to Covered Entity.

    10. 3.10. Amendment Requests. Subject to consistency with the nature of the services provided by Business Associate under the Agreement, within fifteen (15) business days of receipt of a request from Covered Entity, Business Associate agrees to make any requested amendment(s) to PHI held in a Designated Record Set by it, or any of its agents or Subcontractors in conjunction with any other measures necessary to satisfy the requirements set forth in 45 C.F.R. § 164.526. In the event an Individual requests an amendment to his or her PHI directly from Business Associate, Business Associate shall within five (5) business days of receipt thereof, forward such request to Covered Entity.

    11. 3.11. Accountings of Disclosures. Subject to consistency with the nature of the services provided by Business Associate under the Agreement, within fifteen (15) business days after a request from Covered Entity, Business Associates its agents or Subcontractors shall prepare a list of any disclosure of PHI for which an accounting may be required under 45 C.F.R. § 164.528, and provide such list in writing, via email, to notices@prompthealth.com. In the event any Individual requests an accounting of disclosures under 45 C.F.R. § 164.528(a) directly from Business Associate, Business Associate shall, within fifteen (15) business days of receipt of such request, forward the request to Covered Entity unless the Privacy Rule requires or Covered Entity directs that Business Associate to receive and respond to such requests directly, in which case Business Associate shall respond directly as required by and in accordance with 45 C.F.R. § 164.528, and shall send a copy of such response to Covered Entity.

    12. 3.12. Books and Records. Business Associate agrees to make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of Health and Human Services or her/his designees or other government authorities in a time and manner designated by such governmental authorities, for purposes of determining compliance with the HIPAA Rules.

  4. 4. Security of PHI

    1. 4.1. HIPAA Safeguards. Business Associate agrees to implement appropriate administrative, physical, and technical safeguards required by the HIPAA Rules. 

  5. 5. Covered Entity Obligations

    1. 5.1. Notice of Privacy Practices. Covered Entity shall notify Business Associate of any limitation(s) in the notice of privacy practices of Covered Entity under 45 C.F.R. § 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI.

    2. 5.2. Changes. Covered Entity shall notify Business Associate of any changes in, or revocation of, the permission by an Individual to use or disclose his or her PHI, to the extent that such changes may affect Business Associate’s use or disclosure of PHI.

    3. 5.3. Restrictions on Use or Disclosure. Covered Entity shall notify Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 C.F.R. § 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.

    4. 5.4. Requests to Business Associate. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under Subpart E of 45 C.F.R. Part 164 if done by Covered Entity, except to the extent that Business Associate will use or disclose PHI for the management and administration and legal responsibilities of the Business Associate.

    5. 5.5. Minimum Necessary. Covered Entity shall disclose to Business Associate only the minimum amount of PHI necessary to allow Business Associate to fulfill its obligations to Covered Entity under the Agreement.

  6. 6. Term and Termination 

    1. 6.1. Term. The term of this BAA shall continue for so long as the Agreement remains in effect.

    2. 6.2. Termination. Upon either party’s determination that the other party has violated or breached a material term of this BAA, the non-breaching party shall provide an opportunity for the breaching party to cure the breach or end the violation, and terminate this BAA and the Agreement if the breaching party does not cure the breach or end the violation within a reasonable period. 

  7. 7. Effect of Termination 

    1. 7.1. Return/Destruction of PHI. Except as provided in paragraph (b) of this subsection infra, upon termination of this BAA for any reason, Business Associate shall, at the election of Covered Entity, return to Covered Entity or destroy all PHI in its possession or that of its Subcontractors or agents. The Parties acknowledge and agree that Business Associate may retain a copy of PHI as required by law or as otherwise required for Business Associate’s proper management and administration. The obligation of Business Associate under this provision shall continue for as long as Business Associate maintains this PHI, shall survive termination of this Agreement, and shall continue to bind Covered Entity, its agents, contractors, successors and assigns, for however long this PHI is held by any of them.

    2. 7.2. Exceptions. In the event that returning or destroying the PHI is infeasible, Business Associate shall provide to Covered Entity written notification of the conditions that make return or destruction infeasible. Upon agreement by Covered Entity that return or destruction of the PHI is infeasible, Business Associate shall extend the protections of this BAA to such PHI, and limit further uses and disclosures of it to those purposes that make the return or destruction infeasible, for so long as Business Associate or its agents or Subcontractors hold such PHI. 

    3. 7.3. Other Rights. Upon termination of this Agreement, Covered Entity authorizes Business Associate to transmit or make available for copying to Covered Entity all PHI or patient records maintained by Business Associate. Covered Entity releases Business Associate from any obligation to retain any copies or backups. 

  8. 8. Miscellaneous

    1. 8.1. Amendment. The parties agree to negotiate in good faith to amend this BAA from time to time to comply with the requirements of any HIPAA Rules. If either party disagrees with any amendment proposed by the other party, it shall so notify the proposing party in writing no later than fifteen (15) business days after receipt of notice of the amendment. If the parties are unable to agree on an amendment, either party may, at its option, terminate this BAA and the Agreement.

    2. 8.2. Section References. A reference in this BAA to a section in the HIPAA Rules means the section as in effect or as amended, and as of its effective date. 

    3. 8.3. Interpretation. Any ambiguity in this BAA shall be resolved to permit compliance with the HIPAA Rules. 

    4. 8.4. Order of Precedence. The terms and conditions of this BAA shall override and control any conflicting term or condition of the Agreement. All non-conflicting terms and conditions of the Agreement remain in full force and effect.

    5. 8.5. Relationship of Parties. It is expressly agreed that Business Associate, its divisions, and its affiliates, including its employees and Subcontractors, are performing the services under this BAA as independent contractors for Covered Entity. Neither Business Associate nor of its affiliates, officers, directors, employees or Subcontractors is an employee or agent of Covered Entity. Nothing in this BAA shall be construed to create (i) a partnership, joint venture or other joint business relationship between the parties or any of their affiliates, or (ii) an agency relationship.

    6. 8.6. Waiver. A waiver of a breach of this BAA shall not be deemed to be a waiver of a breach of any other provision of this BAA, or of a future waiver of any subsequent breach of the same provision.

    7. 8.7. No Third Party Beneficiaries. Except as it relates to the agreements with subcontractors referred to in Section 3.7 above, nothing express or implied in this BAA is intended to confer, nor shall anything herein confer, upon any Person other than the parties and the respective successors and permitted assigns of the parties, any rights, remedies, obligations, or liabilities whatsoever.

    8. 8.8. Entire Agreement. This BAA constitutes the entire understanding among the parties with respect to its subject matter. If the terms of this BAA are inconsistent with the terms of any present or future underlying service or sale agreement between the parties, the terms of this BAA shall control.