Version Date: November 11, 2021
This Business Associate Agreement (this “BAA”) is entered into between Customer and Vital Interaction. The Terms and Conditions between the parties, together with any sales or work order entered into by the parties, collectively constitute the “Underlying Agreement.” Capitalized terms used but not otherwise defined herein have the meanings ascribed to them in the Underlying Agreement.
BY ACCEPTING THIS BAA OR USING THE SERVICES, AS DEFINED IN THE UNDERLYING AGREEMENT, YOU AGREE TO THIS BAA. IF YOU ARE ENTERING INTO THIS BAA AS AN INDIVIDUAL, THE TERM “CUSTOMER” REFERS TO YOU. IF YOU ARE ENTERING INTO THIS AGREEMENT ON BEHALF OF A COMPANY OR OTHER LEGAL ENTITY, YOU REPRESENT THAT YOU HAVE THE AUTHORITY TO BIND SUCH ENTITY AND ITS AFFILIATES TO THIS BAA, IN WHICH CASE THE TERM “CUSTOMER” SHALL REFER TO SUCH ENTITY. IF YOU DO NOT HAVE SUCH AUTHORITY, OR IF YOU DO NOT AGREE WITH THIS BAA, YOU MUST NOT ACCEPT THIS BAA AND MAY NOT USE VITAL INTERACTION SERVICES FOR THE STORAGE OR TRANSMISSION OF PROTECTED HEALTH INFORMATION (“PHI”).
I. The parties wish to comply with the Health Insurance Portability and Accountability Act of 1996, as amended from time to time and including changes made under the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), and all pertinent regulations issued by the U.S. Department of Health and Human Services, as amended from time to time (collectively, “HIPAA”), and other applicable federal and state confidentiality, privacy, and security laws.
II. Customer is a “covered entity” as defined or construed under HIPAA.
III. Customer is entering into a business relationship with Vital Interaction that is more specifically memorialized in the Underlying Agreement, pursuant to which Vital Interaction will have access to “protected health information” and will be considered a “business associate” and “limited data set recipient” of Customer as those terms are defined or construed under HIPAA.
(a) not use or further disclose the PHI or Unsecured PHI other than as permitted or required by the Underlying Agreement (or this BAA) or as Required by Law;
(b) use appropriate safeguards and comply, where applicable, with Subpart C of 45 C.F.R. Part 164 with respect to electronic PHI, designed to prevent use or disclosure of the PHI or Unsecured PHI other than as provided for in this BAA;
(c) report to Customer any Security Incident, any use or unauthorized disclosure of the PHI not provided for by this BAA, or any Breach involving Unsecured PHI, of which Vital Interaction becomes aware, without unreasonable delay . The parties acknowledge and agree that this Section 2(c) constitutes notice by Vital Interaction to Customer of the ongoing existence and occurrence of attempted but unsuccessful Security Incidents for which no additional notice to Customer shall be required. Unsuccessful Security Incidents shall include, but not be limited to, pings and other broadcast attacks on Vital Interaction’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above or similar, so long as such incidents do not result, to the extent Vital Interaction is aware, in unauthorized access, use or disclosure of Electronic Protected Health Information;
(d) ensure that any subcontractors it may engage that create, receive, maintain, or transmit the PHI agree, with respect to such PHI, to substantially the same restrictions and conditions that apply to Vital Interaction through this BAA;
(e) to the extent applicable, provide access to the PHI to Customer or, if properly directed by Customer in a signed writing, to another individual in a Designated Record Set at reasonable times in order to meet the requirements of and in accordance with 45 C.F.R. § 164.524 of the Privacy Rule;
(f) make the PHI available to Customer for amendment and incorporate any amendments Customer makes or directs to be made to the PHI in accordance with 45 C.F.R. § 164.526 of the Privacy Rule;
(g) make Vital Interaction’s internal practices, books, and records relating to the use and disclosure of the PHI available to the Secretary for purposes of determining Customer’s compliance with the Privacy Rule;
(h) document and make available pursuant to commercially reasonable directions of Customer such information necessary to provide an accounting of disclosures of the PHI in accordance with 45 C.F.R. § 164.528 of the Privacy Rule;
(i) return or destroy all the PHI or Unsecured PHI received from Customer (or created or received by Vital Interaction on behalf of Customer) that Vital Interaction maintains in any form at the termination of this BAA, except as may be required or permitted by federal or state laws or regulations, this BAA, or the Underlying Agreement;
(j) to the extent Vital Interaction is to carry out an obligation of Customer under Subpart E of 45 C.F.R. Part 164, comply with the requirements of Subpart E of 45 C.F.R. Part 164 that apply to Customer in the performance of such obligation.
II. General Purposes for which Protected Health Information may be Used or Disclosed. Vital Interaction may use or disclose PHI to:
a. for the purpose of performing Vital Interaction’s obligations under the Underlying Agreement. Except as otherwise provided in this BAA, Vital Interaction may use or disclose PHI to perform functions, activities, or services for or on behalf of Customer if such use or disclosure by Vital Interaction complies with the Privacy Rule and if such use or disclosure of PHI would not violate the requirements of Subpart E of 45 C.F.R. Part 164 if made by Customer;
b. provide data aggregation services relating to the health care operations of Customer;
c. Vital Interaction may use PHI received by Vital Interaction in its capacity as a business associate to Customer as necessary for the proper management and administration of Vital Interaction or to carry out the legal responsibilities of Vital Interaction;
d. Vital Interaction may disclose PHI received by Vital Interaction in its capacity as a business associate to Customer for the proper management and administration of Vital Interaction or to carry out the legal responsibilities of Vital Interaction if:
i. the disclosure is Required by Law; or
ii. Vital Interaction obtains reasonable assurances from any person or entity to whom PHI is disclosed that: (i) the PHI will be held confidential and further used and disclosed only as Required by Law or for the purposes for which it was disclosed to the person or entity and (ii) the person or entity will notify Vital Interaction of any instances of which it is aware in which confidentiality of the PHI has been breached.
III. De-identified Information. Vital Interaction may de-identify PHI obtained by Vital Interaction under this BAA in compliance with 45 C.F.R. § 164.502(d) and 45 C.F.R. § 164.514(a) and (b). Pursuant to 45 C.F.R. § 164.502(d)(2), de-identified information does not constitute PHI and is not subject to the terms of this BAA.
IV. Data Use. Vital Interaction may use and disclose PHI obtained by Vital Interaction under this BAA to create a limited data set without any of the identifiers listed in 45 C.F.R. § 164.514(e) (“Limited Data Set”) for research, public health, and health care operations purposes. Vital Interaction may not use or further disclose a Limited Data Set for any other purpose, except as may otherwise be Required by Law. Vital Interaction must use appropriate safeguards to prevent use or disclosure of a Limited Data Set other than as provided for herein. Vital Interaction must report to Customer any use or disclosure of a Limited Data Set not provided for herein of which Vital Interaction becomes aware. Vital Interaction may disclose a Limited Data Set to any recipient that agrees to the same restrictions and conditions that apply to Vital Interaction with respect to such information. Vital Interaction must ensure that any persons to whom Vital Interaction provides a Limited Data Set agree to the same restrictions and conditions that apply to Vital Interaction with respect to such information. With respect to any particular Limited Data Set, Vital Interaction will not use the Limited Data Set in such a way as to identify any individual whose data is incorporated in the Limited Data Set or to contact any such individual.
(i) will provide notice of and a reasonable opportunity for Vital Interaction to cure the breach or end the violation of this BAA and then, if Vital Interaction does not cure the breach or end the violation of this BAA within a reasonable time frame afforded of at least thirty (30) days, may terminate this BAA if feasible; or
(ii) may, if Vital Interaction has breached a material term of this BAA and a cure is not possible, immediately terminate this BAA if feasible.
(c) Effect of Termination.
(i) Except as provided in Section 4(c)(ii), upon termination of this BAA for any reason, Vital Interaction will, if feasible:
(1) return or destroy all PHI received from Customer or created or received by Vital Interaction on behalf of Customer; and
(2) not retain any copies of the PHI.
(ii) If Vital Interaction determines that the return or destruction of any PHI is infeasible, Vital Interaction will extend the protections of this BAA to such PHI and limit further uses and disclosures of such PHI to those purposes that make return or destruction infeasible, for so long as Vital Interaction maintains such PHI.
Please complete the form so we can contact you with more information about how Vital Interaction can help grow your practice.