Business Associate Agreement
This Business Associate Agreement (“BA Agreement”) is made by and between MineralTree, Inc. (“Business Associate” or “MineralTree”) and you or the entity you represent (“Covered Entity” or “Client”) (collectively the “Parties”) and is effective as of the date of acceptance by you (whether by “click-through” or otherwise) (the “Effective Date”).
The terms of this BA Agreement shall only apply to the extent (i) Business Associate creates, transmits, or receives any individually identifiable health information (“Protected Health Information” or “PHI”) subject to protection under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), on behalf of Covered Entity, and (ii) this BA Agreement is necessary to comply with HIPAA in light of subsection (i).
1. Definitions.
Capitalized terms used, but not otherwise defined, in this BA Agreement shall have the same meaning as those terms used in HIPAA.
2. Obligations and Activities of MineralTree
2.1. WHEREAS, MineralTree provides an accounts payable and payment automation solution to Client pursuant to a separate Customer Agreement (“Services”);
2.2. WHEREAS, in connection with such Services, Client may disclose to Business Associate certain Protected Health Information that is subject to protection under HIPAA, and regulations promulgated pursuant to such act;
2.3. WHEREAS, the purpose of this BA Agreement is to comply with the requirements of HIPAA; and
2.4. NOW, THEREFORE, in consideration of the mutual promises and covenants herein, and for other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the Parties Agree as follows:
2.5. MineralTree agrees to not use or further disclose Protected Health Information received from or on behalf of Client, or to the extent applicable, created for Client in connection with providing the Services other than as permitted or required by this BA Agreement or as required by law. MineralTree further agrees that, when using or disclosing PHI, it shall limit PHI, to the extent practicable, to a limited data set as defined in 45 CFR 164.514(e)(2) or, if a limited data set is not practicable, limit PHI to the minimum amount of PHI reasonably necessary to accomplish the intended purpose of such use or disclosure.
2.6. MineralTree agrees to use appropriate safeguards to prevent use or disclosure of the PHI, other than as provided for by this BA Agreement, including implementing administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic PHI that it may create, receive, maintain, or transmit on behalf of Client in connection with providing the Services. MineralTree further agrees to comply with the requirements of the HIPAA Security Rule.
2.7. MineralTree agrees to mitigate, to the extent commercially practicable, any harmful effect that is known to MineralTree of a use or disclosure of PHI by MineralTree in violation of the requirements of this BA Agreement.
2.8. MineralTree agrees to report to Client any use or disclosure of PHI that is not provided for by this BA Agreement of which it becomes aware. MineralTree also agrees to notify Client of any Breach of Unsecured PHI in accordance with 45 C.F.R. 164.410; such notification shall be made in as expeditious a manner as possible and in no event later than 60 calendar days after discovery, as defined in 45 CFR 164.410 (a)(2) and shall comply with the requirements of the HIPAA Breach Notification Rule. MineralTree shall also, without unreasonable delay, but in no event later than five business days after becoming aware of any Security Incident that is not an Unsuccessful Security Incident (as defined herein), report the successful Security Incident to Client. Client acknowledges that MineralTree experiences Unsuccessful Security Incidents from time-to-time. Client acknowledges receipt of this report of Unsuccessful Security Incidents. “Unsuccessful Security Incident” means an immaterial Security Incident that does not involve an unauthorized use or disclosure of Unsecured Protected Health Information.
2.9. Client acknowledges that MineralTree may use Subcontractors. MineralTree agrees to ensure that any Subcontractor to whom it provides PHI received from, or created or received by MineralTree on behalf of Client in connection with performance of the Services agrees to substantially the same restrictions and conditions that apply through this BA Agreement to MineralTree with respect to such information. Notwithstanding the foregoing, Client acknowledges MineralTree is not required to enter into a Business Associate Agreement with service providers that process, clear, and settle payments for MineralTree, and act solely as, or for, a “financial institution” as described in Section 1179 of the Social Security Act, 42 USC § 1320d-8, and therefore are not be subject to the rules and standards for the privacy and security of Protected Health Information promulgated by HIPAA or the Health Information Technology for Economic and Clinical Health Act.
2.10. MineralTree agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created or received by MineralTree on behalf of, Client available to the Secretary, in a time and manner designated by the Client or the Secretary and not materially disruptive of MineralTree’s operations or business, for the purposes of the Secretary determining Client’s or MineralTree’s compliance with the HIPAA Privacy Rule. The MineralTree business unit providing the Services shall reasonably cooperate with Client and Secretary in responding to the Secretary’s requests. All information provided by MineralTree pursuant to this provision shall remain Confidential Information under this BA Agreement and subject to the restrictions on disclosure of such information as set forth therein.
2.11. To the extent MineralTree carries out any of Client’s obligations under the HIPAA Privacy Rule, MineralTree shall comply with the requirements of the HIPAA Privacy Rule that apply to Client in the performance of such obligations, provided that Client advises MineralTree of such obligations which are not included in the Services under this BA Agreement and agrees to a fee for MineralTree’s performance of such obligations in accordance with Section 2.12.
2.12. If, in the performance of its obligations set forth in Sections 2.8 through 2.11 (inclusive), and Sections 5.1 through 5.3 (inclusive), MineralTree expends time and materials that are materially in addition to the Services to be provided by MineralTree pursuant to this BA Agreement, MineralTree shall provide Client with an estimate of the fees for such time and materials. Upon the mutual agreement by Client and MineralTree as to the fees to be charged by MineralTree for such time and materials, MineralTree shall invoice Client on a time and materials basis at the agreed-upon rate(s), and Client shall pay MineralTree all such fees in accordance with the payment terms of the separate Customer Agreement or this BA Agreement.
3. Permitted Uses and Disclosures by MineralTree.
Except as otherwise limited in this BA Agreement, MineralTree may use or disclose PHI to perform functions, activities, or services for, or on behalf of, Client as specified in this BA Agreement, provided that such use or disclosure would not violate the HIPAA Privacy Rule if done by Client or the minimum necessary policies and procedures of the Client of which MineralTree has been informed.
4. Specific Use and Disclosure Provisions.
4.1. Except as otherwise limited in this BA Agreement, MineralTree may use PHI for the proper management and administration of MineralTree or to carry out the legal responsibilities of MineralTree.
4.2. Except as otherwise limited in this BA Agreement, MineralTree may disclose PHI for the proper management and administration of MineralTree, provided that disclosures are required by Law, or MineralTree obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as required by Law or for the purpose for which it was disclosed to the person, and the person notifies MineralTree of any instances of which it is aware in which the confidentiality of the information has been breached.
4.3. Except as otherwise limited in this BA Agreement, MineralTree may use and disclose PHI to provide Data Aggregation services to Client and other Covered Entities as permitted by 42 CFR 164.504(e)(2)(i)(B).
4.4. MineralTree may use PHI to create de-identified health information in accordance with the HIPAA Privacy Rule’s de-identification standards and use and disclose the de-identified health information for commercial purposes and any other purposes not prohibited by Applicable Law. Client agrees that MineralTree shall be the exclusive owner of any de-identified health information.
5. Obligations of Client.
5.1. Client shall provide MineralTree with any limitations in its notice of privacy practices of Client in accordance with 45 CFR 164.520, to the extent that such limitation may affect MineralTree use or disclosure of PHI.
5.2. Client shall provide MineralTree with any changes in, or revocation of, permission by Individual to use or disclose PHI, to the extent that such changes may affect MineralTree’s use or disclosure of PHI.
a) Client shall notify MineralTree in writing of any restriction to the use or disclosure of PHI that Client has agreed to in accordance with 45 CFR 164.522, to the extent that such restriction may affect MineralTree’s use or disclosure of PHI.
b) Client shall not request MineralTree to use or disclose PHI in any manner that would not be permissible under the HIPAA Privacy Rule if done by Client.
6. Term and Termination.
6.1. Term. The Term of this BA Agreement shall be effective as of the Effective Date contemplated by the Customer Agreement to which this BA Agreement is included with, and shall terminate when all of the PHI provided by Client to MineralTree, or created or received by MineralTree on behalf of Client, is destroyed or returned to Client, or, if it is infeasible to return or destroy PHI, protections are extended to such information, in accordance with the termination provisions in this Section.
6.2. Termination For Cause. In addition to any termination rights set forth in this BA Agreement in the event of a material breach of this BA Agreement, the other party shall either: (i) provide the breaching party with an opportunity to cure the breach or end the violation, and terminate this BA Agreement (including this BA Agreement) if the breaching party does not cure the breach or end the violation within sixty (60) days, or (ii) immediately terminate this BA Agreement (and this BA Agreement) if cure is not possible.
6.3. Termination upon Issuance of Guidance or Change In Law. If the Secretary provides additional guidance, clarification or interpretation on the HIPAA Privacy Rule, or there is a change or supplement to the HIPAA statutes or regulations (both referred to as a “HIPAA Change”), such that a party hereto determines that the service relationship between MineralTree and Client is no longer a Business Associate relationship as defined in HIPAA, such party shall provide written notice to the other party of the HIPAA Change, and upon mutual agreement of the parties that the HIPAA Change renders this BA Agreement unnecessary, this BA Agreement shall terminate and be null and void.
6.4. Effect of Termination.
a) Except as provided in paragraph (b) of this subsection, upon termination of this BA Agreement, for any reason, MineralTree shall return or destroy all PHI received from Client, or created or received by MineralTree on behalf of Client. This provision shall apply to PHI that is in the possession of Subcontractors of MineralTree. Except as provided in paragraph (b) below, MineralTree shall retain no copies of the PHI.
b) In the event that MineralTree determines that returning or destroying the PHI is infeasible, MineralTree shall extend the protections of this BA Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as MineralTree maintains such PHI. Client acknowledges and agrees that MineralTree may determine that it is infeasible to return or destroy the PHI if MineralTree is required to retain the PHI by Applicable Law or MineralTree’s document retention policies. In addition, MineralTree may delay return or destruction of PHI until Client has confirmed in writing that Client has successfully exported (or otherwise received) the PHI.
c) Return, destruction, or if infeasible, Business Associate will continue to extend the protections of this BA Agreement to such PHI and limit any further use of PHI to those purposes that make the return or destruction of the PHI infeasible.
7. Miscellaneous.
7.1. Client Rights and Remedies Upon Breach By MineralTree. In the event MineralTree fails to perform its obligations hereunder or otherwise breaches this BA Agreement, Client may exercise all rights and remedies available to it under this Agreement, subject to applicable limitations of liability set forth in this BA Agreement or such other conditions as may apply to Client rights or remedies.
7.2. Minimum Necessary. Business Associate (and its Subcontractors) shall, to the extent practicable, limits its request, use, or Disclosure of PHI to the minimum amount of PHI necessary to accomplish the purpose of the Services taking into account the nature of the Services provided by Business Associate. Client agrees that Client will not provide any PHI to MineralTree other than, as needed, to facilitate payments.
7.3. Amendment. The parties agree to take such action as is necessary to amend this BA Agreement from time to time as is necessary for Client or MineralTree to comply with HIPAA. If, following good faith negotiations that shall not exceed ninety (90) calendar days from the date of the request for negotiations, the parties are unable to agree on the modifications to the terms of this BA Agreement that may be necessary or appropriate in order for Client or MineralTree to comply with HIPAA, either party shall have the right to terminate this BA Agreement without cause as of a date specified in a notice of termination, such date to be no less than thirty days following the effective date of such notice.
7.4. Survival. The respective rights and obligations of MineralTree under Section 6.4 of this BA Agreement shall survive the termination of this Agreement.
7.5. Interpretation. Any ambiguity in this BA Agreement shall be resolved in favor of a meaning that permits Client and MineralTree to comply with HIPAA.
7.6. Regulatory References. A reference in this BA Agreement to a section in HIPAA means the section as in effect or as amended.
7.7. Conflict. In the event of any conflict between the terms and conditions of this BA Agreement and the terms and conditions of the Customer Agreement, the terms and conditions of this BA Agreement will override and control any conflicting terms or conditions for the Customer Agreement as this relates to the use or disclosure of PHI. For the avoidance of doubt, the parties acknowledge and agree that this BA Agreement does not override the limitation of liability and the indemnification terms in the Customer Agreement. All non-conflicting terms and conditions of the Customer Agreement shall remain in full force and effect.