Business Associate Agreement (BAA) and Service Contract

To proceed, your facility will need to fill out and sign both a Business Associate Agreement (BAA) and a product Licensing Agreement with Novarad.

Novarad Corporation

BUSINESS ASSOCIATE AGREEMENT

This Business Associate Agreement (“Agreement”) is made on                                                       (“Effective Date”) by and between

   

                                                                                 (Company Name) having its principal place of business at (“COVERED ENTITY”) and NOVARAD CORPORATION (“BUSINESS ASSOCIATE”). Any capitalized terms used in this Agreement that are not defined herein shall have the meaning ascribed to them in Health Insurance Portability and Accountability Act of 1996 as contained in 45 C.F.R parts 160, 162 and 164 ("HIPAA") and Subtitle D (Privacy) of Title XIII of Division A and Section 4104(b) of Title IV of Division B of the American Recovery and Reinvestment Act of 2009 (the "HITECH Act") or the Novarad Customer Contract (“the Contract”).

In order for Business Associate to provide services that require access to Protected Health Information to Covered Entity under the Contract, the parties agree to the following terms related to the HIPAA federal privacy regulations contained in 45 C.F.R. parts 160 and 164 ("HIPAA Privacy Regulations"), the HIPAA federal security standards contained in 45 C.F.R. parts 160 and 164 ("HIPAA Security Regulations"), the HIPAA federal standards for electronic transactions contained in at 45 C.F.R. parts 160 and 162 ("HIPAA Transaction Regulations") and the HITECH Act.

1. Business Associate is permitted to use and disclose Protected Health Information (“PHI”) received and archived by Business Associate from or on behalf of Covered Entity as required to perform its obligations under the Contract; provided, however, Business Associate may not use or further disclose PHI in a manner that would not be permissible if done by Covered Entity, except Business Associate may also:
               a. use PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate;
               b. disclose PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate if
                     i) the disclosure is Required by Law; or
                     ii) Business Associate obtains reasonable written assurances from the person to whom it disclosed the PHI that it will remain confidential and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the PHI has been breached;
               c. use PHI to provide Data Aggregation services to Covered Entity as permitted by 45 C.F.R.§ 164.504(e)(2)(i)(B) if the performance of Data Aggregation services is necessary for Business Associate to perform its obligations under the Contract or Covered Entity otherwise requests Data Aggregation services from Business Associate;
               d. use and disclose PHI to report violations of law to appropriate Federal and State authorities, consistent with 45 C.F.R. § 164.502(j)(1); and
               e. use and disclose PHI as Required by Law.
2. Business Associate shall use and disclose PHI only as permitted or required by this Agreement.
3. Business Associate, in accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), will ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the Business Associate agree in writing to adhere to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information;
4. When Business Associate has possession of PHI, is accessing PHI, or is transmitting Electronic PHI, it shall:
               a. use appropriate safeguards as required by the HIPAA Privacy Regulations to prevent the use or disclosure of PHI otherwise than as permitted or required under this Agreement; and
               b. with respect to Electronic PHI, implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of Electronic PHI as required by, and as more specifically set forth in, the HIPAA Security Regulations. Business Associate's obligations described above will include additional safeguards required to be taken by Business Associate pursuant to Section 13401(a) of the HITECH Act. Notwithstanding the foregoing, when Business Associate is present at a facility of Covered Entity or its affiliates or is accessing or utilizing equipment, software, tools, network components or other information technology owned, leased or licensed by Covered Entity or its affiliates ("Covered Entity Systems"), Business Associate will comply with Covered Entity's standard safeguards to prevent the use or disclosure of PHI applicable to Covered Entity facility or Covered Entity System, provided Covered Entity has given Business Associate prior notice of such safeguards in writing. Except as otherwise described above or expressly provided in this Agreement, Business Associate is not responsible for implementing safeguards with respect to the facilities of Covered Entity or its affiliates or Covered Entity Systems.
5. Business Associate shall report to Covered Entity
               a. any use or disclosure of PHI by Business Associate in violation of its obligations under this Agreement of which it becomes aware; and
               b. any Security Incident relating to Electronic PHI of which it becomes aware. In addition, Business Associate shall, following the discovery of a Breach of Unsecured PHI, notify Covered Entity of such Breach in accordance with 45 C.F.R. § 164.410. With respect to unsuccessful security incidents, Business Associate represents that the significant number of meaningless attempts to access its data, including ePHI, makes it impossible for Business Associate to report such unsuccessful security incidents in real-time or on any regular basis. Accordingly, the parties agree that this provision constitutes timely notice to Covered Entity of unsuccessful security incidents, whether occurring now or in the future, when they do not result in actual unauthorized access, use, disclosure, modification or destruction of ePHI or interference with an information system that contains or processes ePHI.
6. Business Associate shall make its internal practices, books and records relating to the use and disclosure of PHI available to the Secretary of the Department of Health and Human Services “Secretary”, in a time and manner designated by the Secretary, for purposes of the Secretary determining Covered Entity's compliance with HIPAA.
7. Upon Business Associate's receipt of a request from an Individual for access to their PHI, Business Associate shall notify Covered Entity, of the request in order for Covered Entity to meet its obligations. Covered Entity, not Business Associate, is responsible for responding to requests for access to or amendment of PHI from Individuals pursuant to HIPAA and the HIPAA Privacy Regulations, including, but not limited to, 45 C.F.R. §§164.524, 164.526, and 164.528, as the same may be amended from time to time. If Business Associate uses or maintains an electronic Health Record with respect to PHI, in accordance with Section 13405{e) of the HITECH Act, Business Associate acknowledges that an Individual has a right to obtain from Covered Entity a copy of such information in an electronic format.
8. Business Associate shall document disclosures of PHI it makes and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of such disclosures in accordance with 45 C.F.R. § 164.528. Upon Business Associate's receipt of written notice from Covered Entity that Covered Entity has received a request for an accounting of disclosures of PHI regarding an Individual, Business Associate shall make available to Covered Entity the information collected by it as described above to permit Covered Entity to respond to such request in accordance with 45 C.F.R. § 164.528.
9. As described in 45 C.F.R. § 164.502(b)(1), when using or disclosing PHI or when receiving PHI from Covered Entity (except for the uses and disclosures described in 45 C.F.R. § 164.502(b)(2), Business Associate will make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. Business Associate shall be treated as being in compliance with 45 C.F.R. §164.502(b)(1) only if Business Associate limits such PHI, to the extent practicable, to the limited data set (as defined 45 C.F.R. § 164.514(e)(2)) or, if needed by Business Associate, to the minimum necessary to accomplish the intended purpose of such use, disclosure, or request, respectively. Business Associate will determine what constitutes the minimum necessary to accomplish the intended purpose of such disclosure.
10. Except as provided in Section 13405(d)(2) of the HITECH act, Business Associate will not directly or indirectly receive remuneration in exchange for any PHI of an Individual unless Covered Entity has obtained from the Individual, in accordance with 45 C.F.R. § 164.508, a valid authorization that includes, in accordance with such section, a specification of whether the PHI can be further exchanged for remuneration by the entity receiving PHI of that Individual. Nothing in this Section 10 shall be construed to allow Business Associate to disclose PHI except as provided in other provisions of this Agreement.
11. Business Associate shall mitigate, to the extent practicable, any harmful effect that is known to it of a use or disclosure of PHI by Business Associate in violation of its obligations set forth in this Agreement.
12. Covered Entity shall obtain and maintain such consents, authorizations and/or permissions, if any, as may be necessary or required under HIPAA, the HITECH Act, or other local, state or federal laws or regulations to permit Covered Entity to disclose PHI to Business Associate in order for Business Associate to use and disclose PHI as required or permitted under this Agreement. Covered Entity shall promptly inform Business Associate in writing as soon as Covered Entity becomes aware of any modifications to, restrictions on, defects in, or revocation or other termination of effectiveness of, any such consent, authorization, or permission, to the extent any such modifications, restrictions, defects, revocations, or terminations affect Business Associate's permitted or required uses and disclosures of PHI specified in this Agreement.
13. Covered Entity shall notify Business Associate in writing of any limitation(s) in its notice of privacy practices in accordance with 45 C.F.R. § 164.520, to the extent any such limitations affect Business Associate's permitted or required uses and disclosures of PHI specified in this Agreement.
14. Covered Entity shall notify Business Associate in writing of any restriction(s) to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR § 164.522, to the extent any such restrictions affect Business Associate's permitted or required uses and disclosures of PHI specified in this Agreement.
15. Without limiting Sections 1(a) - 1(e), Covered Entity agrees it will not request, and the performance of Business Associate's obligations under the Contract will not require, Business Associate to use or disclose PHI in any manner that would not be permissible if done by Covered Entity.
16. To the extent the services under the contract involve Business Associate assisting Covered Entity in conducting electronic transactions governed by the HIPAA Transaction Regulations, unless otherwise set forth in the Contract or instructed by Covered Entity, Business Associate shall not:
               a. change the definition, data, condition, or use of a data element or segment in a standard as required by 45 C.F.R. § 162.915;
               b. add any data elements or segments to the maximum defined data set as required by 45 C.F.R § 162.915; c. use any code or data elements that are either marked "not used" in the standard's implementation specification or are not in the standard's implementation specification(s) as required by 45 C.F.R § 162.915; or d. Business Associate may terminate this Agreement at any time if Covered Entity fails to meet its HIPAA obligations.
17. This Agreement shall commence on the effective date of this Agreement ("Effective Date") and shall automatically terminate on the expiration or termination of the Contract. 18. If Business Associate commits a material breach of its obligations in this Agreement, Covered Entity may
               a. terminate this Agreement by providing Business Associate prior written notice if Business Associate fails to cure such breach within 30 days of its receipt of written notice from Covered Entity specifying the nature of such breach;
               b. immediately terminate the Contract and this Agreement by providing Business Associate prior written notice if a cure of such breach is not possible; or
               c. report such breach to the Secretary if termination of the Contract is not feasible. d. Covered Entity may terminate this Agreement at any time if Business Associate fails to meet its HIPAA obligations.
19. Upon the termination of this Agreement for any reason, Business Associate shall return or destroy all PHI in the possession of Business Associate, its affiliates, or their respective subcontractors in accordance with the terms of the Contract between the parties; and neither Business Associate, nor its affiliates or their respective subcontractors shall retain copies of such PHI; provided, however, if returning or destroying such PHI is infeasible,
               a. Business Associate shall provide Covered Entity notification of the conditions that make return or destruction infeasible; and b. Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible for so long as such PHI is maintained by Business Associate.
20. The references to the provisions and sections of HIPAA and the HITECH Act in this Agreement specifically refer to such provisions and sections in effect or as amended. If any privacy laws or regulations are enacted or amended, or any governmental guidance is issued, after the Effective Date, to the extent such laws or guidance require modifications to the then-current obligations of Covered Entity or Business Associate under this Agreement, Covered Entity and Business Associate agree to promptly meet and negotiate in good faith to mutually agree on such modifications. Any material modifications to Business Associate's obligations under this Agreement may include changes in financial terms as reasonably required supporting such cost of compliance.
21. If there is any conflict between the terms of this Agreement and the terms of the Contract with respect to the matters covered in this Agreement, the terms of this Agreement shall control.
22. Authority to Bind. Each person executing this Agreement hereby warrants that they have full and legal authority to execute this Agreement for and on behalf of the respective Parties, and no further approval or consent of any other person is necessary in connection therewith. Further, each person executing this Agreement covenants and represents that the execution of this Agreement is not in contravention of and shall not result in a breach of any other agreement, contract, instrument, order, judgment or decree to which such person is a party.

IN WITNESS WHERE OF, the Parties have caused this Agreement to be signed and delivered by their duly authorized representatives, as of the Agreement Effective Date.


                CUSTOMER
                 
                 BY THIS DIGITAL SIGNATURE BELOW, CUSTOMER ACKNOWLEDGES
                 SIGNATURE AND ACCEPTANCE OF THIS LEGALLY BINDING DOCUMENT

Your Signature

Novarad EHS Logo Full Color (1) (3).png
Novarad EHS Logo Full Color (1) (3).png

CORPORATE HEADQUARTERS

752 East 1180 South, Suite 200

American Fork, Utah  84003

(877) 668-2723 phone

UNITED KINGDOM

12 Kingsbury Trading Estate Church Lane

Kingsbury London United Kingdom

NW9 8AU

+44 (0) 208 205 9500 phone

+44 (0) 208 205 0585 fax

LATIN AMERICA

2 Calle A 6-28 zona 10 Edificio Verona, Oficina 502
Edificio Verona, Oficina 502
Guatemala, Guatemala

ASIA - PACIFIC

407 Prestige Tower F. Ortiga Jr. Road
Ortigas Center, Pasig City Philippines, 1605
Phone: +632.661.6161
Fax: +632.661.4334

© 2020 Novarad®