Business Associate Agreement
This Business Associate Agreement (the “BAA”) applies to any written agreement between OTTO Health, LLC (“OTTO”) and an OTTO customer (“PRACTICE”) which expressly references this BAA (such written agreement is referred to herein as the “Agreement”). Certain capitalized terms not defined in this BAA shall have the meaning set forth in the Agreement.
Whereas, Practice is a “covered entity” under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as it may be amended or supplemented; the regulations promulgated thereunder including the Standards for Privacy of Individually Identifiable Health Information (the “Privacy Rule”), 45 C.F.R. Parts 160 and 164, Subparts A and E, the Standards for the Security of Electronic Protected Health Information (the “Security Rule”), 45 C.F.R. Parts 160 and 164, Subpart C, the Breach Notification for Unsecured Protected Health Information (the “Breach Notification Rule”), 45 C.F.R. Parts 160 and 164, as may be amended or supplemented (collectively with HIPAA, the “HIPAA Rules”), and the Health Information Technology for Economic and Clinical Health Act, Title VIII of the American Recovery and Reinvestment Act of 2009, as may be amended or supplemented, and the regulations promulgated thereunder, as may be amended or supplemented (the “HITECH Act”);
Whereas, OTTO is a “business associate” under the HIPAA Rules and the HITECH Act and may receive, create, maintain, and transmit protected health information (“PHI”) on Practice’s behalf in connection with the Services (defined below);
Whereas, the HIPAA Rules and the HITECH Act require that Practice contract with OTTO to mandate certain protections for the privacy and security of PHI that OTTO may receive, create, maintain, or transmit on Practice’s behalf while providing the Services; and
Whereas, Practice and OTTO intend for the BAA to satisfy their obligations under the HIPAA Rules and the HITECH Act, and any implementing regulations.
Now, therefore, in consideration of the foregoing, and for other good and valuable consideration, the receipt and adequacy of which is hereby acknowledged, the Parties agree as follows:
- Defined Terms Generally
. Terms used in the BAA but not otherwise defined in the BAA shall have the same meaning as those terms in the HIPAA Rules and the HITECH Act.
- Specific Defined Terms.
- Breach. “Breach” shall have the meaning set forth in 45 CFR § 164.402.
- Designated Record Set. “Designated Record Set” shall have the meaning set forth in 45 CFR § 164.501.
- Electronic Protected Health Information. “Electronic Protected Health Information” shall have the meaning set forth in 45 CFR § 160.103.
- Individual. “Individual” shall have the meaning set forth in 45 CFR § 160.103 and shall include a person who qualifies as a “personal representative” pursuant to 45 CFR § 164.502(g).
- Privacy Rule. “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR Part 160 and Part 164, Subparts A and E.
- Protected Health Information. “Protected Health Information” shall have the meaning set forth in 45 CFR § 160.103. All references to PHI shall also include Electronic Protected Health Information as defined in 45 CFR § 160.103.
- Required by Law. “Required by Law” shall have the meaning set forth in 45 CFR § 164.103.
- Secretary. “Secretary” shall mean the Secretary of the Department of Health and Human Services or his or her designee.
- Security Incident. “Security Incident” shall have the meaning set forth in 45 CFR § 164.304.
- Services. “Services” shall mean the services for or functions on behalf of Practice performed by OTTO pursuant to any service agreement(s) between Practice and OTTO which may be in effect now or from time to time (the “Service Agreement”), or, if no such agreement is in effect, the services or functions performed by OTTO that constitute a business associate relationship between Practice and OTTO.
- Subcontractor. “Subcontractor” shall have the meaning set forth in 45 CFR § 160.103.
- Unsecured Protected Health Information. “Unsecured Protected Health Information” shall have the meaning set forth in 45 CFR § 164.402.
OTTO’s Obligations and Scope of Activities
- Use and Disclosure of PHI
. OTTO agrees not to Use or Disclose PHI other than as permitted or required by the BAA, the Service Agreement, or as Required by Law. OTTO further agrees to comply with the BAA’s provisions and all present and future provisions of the HIPAA Rules, the HITECH Act, and Colorado law that relate to the privacy and security of PHI and apply to OTTO. OTTO agrees not to Use or Disclose PHI in any manner that would constitute a violation of the HIPAA Rules, the HITECH Act, or Colorado law if so Used or Disclosed by Practice. OTTO agrees to Use PHI solely for the purpose of and as necessary for performing Services for Practice. OTTO further agrees that Practice shall retain all rights in PHI not granted herein.
- Reasonable and Appropriate Safeguards
. OTTO has implemented and will continue to maintain administrative, physical, and technical safeguards (including written policies and procedures) to protect the confidentiality, integrity, and availability of PHI that it creates, receives, maintains, or transmits on Practice’s behalf against reasonably anticipated threats or hazards to the security and integrity of the PHI as required by the Security Rule. OTTO shall ensure that any agent or Subcontractor to whom OTTO provides PHI has implemented and will continue to maintain administrative, physical, and technical safeguards (including written policies and procedures) to protect the confidentiality, integrity, and availability of PHI as required by the Security Rule.
. OTTO shall enter into a written agreement meeting the requirements of 45 C.F.R. §§ 164.504(e) and 164.314(a)(2) with each Subcontractor (including, without limitation, a Subcontractor that is an agent under applicable law) that creates, receives, maintains, or transmits PHI on behalf of OTTO. OTTO shall ensure that the written agreement with each Subcontractor obligates the Subcontractor to comply with restrictions and conditions that are at least as restrictive as the restrictions and conditions that apply to OTTO under the BAA.
- Reporting of Violations
. OTTO shall report to Practice in writing each Security Incident or Use or Disclosure that is made by OTTO, members of its workforce, or agents or Subcontractors that is not specifically permitted by the BAA no later than ten (10) business days after becoming aware of such Security Incident or non-permitted Use or Disclosure, in accordance with the notice provisions set forth herein. OTTO further agrees to notify Practice of any suspected access, Use, or Disclosure of data in violation of any applicable federal or state laws or regulations without unreasonable delay, and in no case later than thirty (30) calendar days after discovery. In the event of a Breach, OTTO may delay notifying Practice upon a request from law enforcement. At Practice’s request, OTTO agrees, to the extent possible, to identify each Individual whose PHI has been or is reasonably believed by OTTO to have been accessed, acquired or Disclosed during the Security Incident and/or Breach; the date and scope of the Security Incident and/or Breach; OTTO’s response to the Security Incident and/or Breach, and the identity of the party responsible for causing the Security Incident and/or Breach, if known. OTTO also agrees to provide Practice with sufficient information to permit Practice to comply with Breach Notification Rule’s requirements or applicable state law requirements. OTTO shall cooperate reasonably and coordinate with Practice in the investigation of any violation of the BAA’s requirements and/or any Security Incident or Breach. OTTO shall cooperate reasonably and coordinate with Practice in the preparation of any reports or notices to the Individual, a regulatory body, or any third party required to be made under the HIPAA Rules, the HITECH Act, or any other federal or state laws, rules, or regulations. If OTTO determines that a reportable Breach of Unsecured PHI has occurred, OTTO shall provide a written report to Practice without unreasonable delay but no later than twenty (20) calendar days after discovery of the Breach. To the extent that information is available to OTTO, OTTO’s written report to Practice shall be in accordance with 45 C.F.R. §164.410(c).
- Breach Pattern or Practice by OTTO
. OTTO agrees that if OTTO knows of a pattern of activity or practice of OTTO that constitutes a material breach of OTTO’s obligations under the BAA, OTTO shall take reasonable steps to cure the breach or end the violation. OTTO agrees that if the steps are unsuccessful, OTTO shall terminate the BAA, or if termination is not feasible, report the problem to the Secretary.
- Mitigation of Harmful Effects
. OTTO agrees to mitigate, to the extent practicable, any harmful effect that is known to OTTO of a Use or Disclosure of PHI by OTTO in violation of the BAA.
- Third-Party Agreements
. Pursuant to 45 CFR §§ 164.308(b) and 164.502(e), OTTO agrees to ensure that any agent and/or Subcontractor, to whom it provides PHI that is created, received, transmitted, or maintained by OTTO on behalf of Practice agrees in a written business associate agreement to the same restrictions and conditions that apply through the BAA to OTTO with respect to such information. If OTTO is aware of a pattern or practice of an agent and/or Subcontractor that constitutes a material breach or violation by the agent and/or Subcontractor of any such restrictions or conditions, OTTO shall take reasonable steps to cure the breach or end the violation, as applicable, and if such steps are unsuccessful, to terminate the contract or arrangement with such agent and/or subagent.
- Availability of Books and Records
. OTTO agrees to make available to Practice or Secretary, within twenty (20) calendar days or such time as reasonably designated by the Secretary, any PHI and internal practices, books, records, accounts, and other sources of information, including policies and procedures, relating to the Use and Disclosure of PHI created, received, maintained, or transmitted by OTTO on Practice’s behalf for purposes of the Secretary determining Practice’s compliance with the Privacy Rule.
. To the extent that OTTO possesses or maintains a Designated Record Set, OTTO agrees to provide access, at the request of Practice, to PHI in a Designated Record Set to the Practice or, as directed by Practice, to the Individual or an Individual’s designee, within twenty (20) calendar days of such request order to meet the requirements under 45 CFR § 164.524. If an Individual makes a request for access to PHI directly to OTTO, OTTO shall notify Practice of the request within three (3) business days of such request and will cooperate with and allow Practice to respond to the Individual or Individual’s designee.
. To the extent that OTTO possesses or maintains a Designated Record Set, OTTO agrees to make any amendment(s) to PHI in a Designated Record Set that Practice directs or agrees to pursuant to 45 CFR § 164.526 in a manner reasonably requested by Practice within forty (40) calendar days of the request. If an Individual requests that OTTO make an amendment to PHI, OTTO shall notify Practice of the request within three (3) business days of such request and will cooperate with and allow Practice to respond to the Individual or Individual’s designee.
- Documentation of Disclosures
. OTTO agrees to document such Disclosures of PHI that it has made and information related to such Disclosures as would be required for Practice to respond to an Individual’s request for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528. OTTO further agrees to implement a process that allows for an accounting to be collected and maintained by OTTO and its agents and/or Subcontractors for at least six (6) years prior to the request. At a minimum, the information collected and maintained shall include:
- The date of the Disclosure;
- The name of the entity or person who received PHI and, if known, the address of the entity or person;
- A brief description of PHI Disclosed; and
- A brief statement of purpose of the Disclosure that reasonably informs the Individual of the basis for the Disclosure, or a copy of the written request for Disclosure by the Secretary or under 45 C.F.R. § 164.512, if any.
- Accounting of Disclosures
. OTTO agrees to provide to Practice or an Individual, within forty (40) days, information collected in accordance with Section 2.11 of the BAA in order that Practice may respond to an Individual’s request for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528 and the HITECH Act. OTTO agrees that such accounting obligations shall survive termination of the BAA and shall continue as long as OTTO maintains PHI created, received, maintained, or transmitted pursuant to the BAA. If multiple Disclosures of PHI have been made to the Secretary or the same person or entity under 45 C.F.R. § 164.512, OTTO shall also include in its Disclosures the frequency, periodicity, or number of Disclosures made during the accounting periods as well as the date of the last Disclosure during the accounting period. If an Individual makes a request for an accounting of Disclosure to OTTO, OTTO shall notify Practice of the request within three (3) business days of such request and will cooperate with and allow Practice to respond to the Individual or Individual’s designee.
- Minimum Necessary
. OTTO agrees to request, Use, and Disclose only the minimum amount of PHI necessary to accomplish the purpose of the request, Use, or Disclosure.
- Compliance with Administrative Obligations
. OTTO agrees to comply with any administrative requirements imposed on it in its capacity as a business associate by the HIPAA Rules and the HITECH Act.
- Compliance with Electronic Transmission Standards
. OTTO agrees to comply with all applicable standards and requirements of the HIPAA Rules and the HITECH Act regarding the transmission of PHI in an electronic format in connection with any transaction for which the Secretary has adopted a standard (“Covered Transaction” ) no less than thirty (30) days before prior to the applicable compliance dates established by the Secretary. OTTO shall require all of its agents and/or Subcontractors, if any, to comply with this Section 2.15.
Permitted Uses and Disclosures by OTTO
- General Use and Disclosure
. Except as otherwise limited by the BAA, OTTO may Use or Disclose PHI on behalf of, or to provide the following services to, Practice: legal counsel, defense or prosecution of litigation on Practice’s behalf, assistance with regulatory requirements, accreditation, certification, licensure, or operational issues, and any other legal services provided to Practice, if such Use or Disclosure of PHI would not violate:
- The Privacy Rule, the Security Rule, and the HITECH Act if done by Practice; or
- OTTO’s minimum necessary policies and procedures.
- Specific Uses and Disclosures.
- Except as otherwise limited in the BAA, OTTO may use PHI for:
- The proper management and administration and to carry out OTTO’s legal responsibilities, provided that Disclosures are:
- Required by Law; or
- OTTO obtains reasonable assurances from the person to whom the information is Disclosed that:
- PHI will remain confidential and Used or further Disclosed only as Required by Law or for the purpose for which it was Disclosed to the person; and
- The person notifies OTTO of any instances of which it is aware in which confidentiality of PHI has been Breached.
- To provide data aggregation services relating to the Health Care Operations of Practice as permitted by 45 CFR § 164.504(e)(2) (i)(B), if required or permitted under the Service Agreement;
- The proper management and administration and to carry out OTTO’s legal responsibilities, provided that Disclosures are:
- Except as otherwise limited in the BAA, OTTO may use PHI for:
- To create de-identified PHI; or
- To report violations of law to appropriate federal and state authorities, consistent with 45 CFR § 164.502(j)(1).
Obligations of Practice
- Notice of Privacy Practices
. Practice shall provide OTTO with a copy of Practice’s Notice of Privacy Practices and notify OTTO of any limitation(s) therein to the extent that such limitation(s) may affect OTTO’s Use or Disclosure of PHI in accordance with 45 CFR § 164.520.
- Notification of Individual Authorization Revocations
. Practice shall notify OTTO of any changes in, or revocations of, an Individual’s authorization to Use and/or Disclose PHI, to the extent that such changes may affect OTTO’s Use or Disclosure of PHI.
- Notification of Restrictions
. Practice shall notify OTTO of any restriction to the Use or Disclosure of PHI to which Practice has agreed, in accordance with 45 CFR § 164.522, to the extent that such restriction may affect OTTO’s Use or Disclosure of PHI.
- Notification of Amendments
. Practice shall notify OTTO of any amendment to PHI to which Practice has agreed that affects a Designated Record Set maintained by OTTO.
- Permissible PHI Disclosures
. Practice will not request OTTO to Use or Disclose PHI in any manner that would not be permissible under the Privacy Rule if done by Practice.
Term and Termination
. The BAA shall be effective as of date the BAA is executed by both Parties and shall continue until OTTO returns or destroys all PHI created or received by OTTO on Practice’s behalf, including any copies of PHI, or until OTTO determines that such return or destruction is infeasible.
- Termination for Cause
. Upon Practice’s knowledge of a material breach by OTTO, Practice shall either:
- Provide an opportunity for OTTO to cure the breach or end the violation within a specified period of time and terminate the BAA if OTTO does not cure the breach or end the violation within the time specified by Practice; or
- Immediately terminate the BAA if OTTO has breached a material term of the BAA and cure is not possible.
If neither termination nor cure is feasible, Practice shall report the violation to the Secretary.
- Effect of Termination.
- Except as provided in paragraphs (d) and (e) of this Section 5.3, upon termination of the BAA, for any reason, after consultation with Practice, OTTO shall return or destroy all PHI created, received, maintained, or transmitted by OTTO on behalf of Practice. This provision shall apply to PHI that is in the possession of OTTO’s agents and/or Subcontractors. OTTO and its agents and/or Subcontractors shall retain no copies of PHI.
- If the PHI is returned, OTTO will return via a commercially reasonable method mutually acceptable to the Parties (for example on a protected zip drive), the PHI of the patient users in OTTO’s possession by virtue of OTTO providing hosting services. In the event Practice needs additional transition support, OTTO will provide the same to Practice on a time and materials basis.
- If OTTO destroys the PHI, (i) destruction with regards to paper, film, or other hard copy media, means shredding or destruction such that the PHI cannot be read or otherwise reconstructed, and (ii) destruction with respect to electronic media requires that the media is cleared, purged or destroyed such that the PHI cannot be retrieved.
- If OTTO determines that it is infeasible to return or destroy the PHI, OTTO shall notify Practice of the conditions that make the PHI’s return or destruction infeasible. Thereafter, OTTO shall extend the BAA’s protection to such PHI and limit such PHI’s further Use and Disclosure to those purposes that make the return or destruction infeasible, for so long as OTTO maintains such PHI.
- The preceding provisions of this Section 5.3 shall not apply to the extent that PHI is maintained in OTTO’s possession pursuant to its record retention procedures. Nevertheless, the BAA’s protections shall remain in effect as to that PHI as long as OTTO retains such PHI.
- Relationship to Service Agreement
. The provisions of the BAA control with respect to PHI that OTTO receives from or on behalf of Practice. The terms and provisions of the BAA supersede any conflicting or inconsistent terms and provisions of the Service Agreement, including all exhibits or other attachments and all documents incorporated by reference, to the extent of such conflict or inconsistency.
. The Parties expressly acknowledge that it is, and shall continue to be, their intent to comply fully with all relevant federal, state, and local laws, regulations, and rules. If a Party believes in good faith that any provision of the BAA fails to comply with the then-current requirements under the HIPAA Rules, the HITECH Act or Colorado law, such Party shall notify the other Party in writing. The Parties agree to take such action as is necessary to amend the BAA from time to time as is necessary for Practice to comply with the requirements of the HIPAA Rules, the HITECH Act or Colorado law. The Parties will have thirty (30) calendar days to negotiate in good faith to amend the BAA’s provisions such that is complies with the then-current legal requirements. If after thirty (30) days, the BAA is still not in compliance with the then-current law, either Party may terminate the BAA upon written notice to the other Party.
. Any ambiguity in the BAA shall be resolved to permit the Parties to comply with the HIPAA Rules, the HITECH Act, or Colorado law.
- Governing Law
. The BAA shall be governed by and interpreted in accordance with the laws of the State of Colorado without regard to its conflicts-of-law provisions. Jurisdiction and venue for any dispute relating to the BAA shall exclusively rest with the state and federal courts in the county in which Practice is located.
. A reference in the BAA to a section in the HIPAA Rules or the HITECH Act means the section as in effect or as amended.
- No Agency Relationship
. The Parties do not intend to establish expressly or by implication an agency relationship (as defined under federal common law of agency) between Practice and OTTO for the purposes of liability under the HIPAA Rules, the HITECH Act or Colorado law. No terms or provisions contained in the BAA shall be construed to make or render OTTO an agent of Practice.
- Survival of Certain Rights and Obligations
. OTTO’s rights and obligations under Sections 2.11 and 5.3 shall survive the BAA’s termination.
. No provision of the BAA or any breach thereof shall be deemed a waiver unless such waiver is in writing and signed by the Party against whom such waiver it sought to be enforced. No waiver of a breach shall constitute a waiver of or excuse for any different or subsequent breach.
. Neither Party may assign any of its rights under the BAA without the other Party’s prior written consent; provided that either party may assign all of its rights and obligations hereunder without such consent in connection with a permitted assignment of the Agreement.
. All notices, requests, demands, and other communications required or permitted to be given or made under the BAA shall be given or made in accordance with the notice provisions contained in the Agreement.
- Invalidity or Unenforceability
. If any provision of the BAA shall be held invalid or unenforceable, such invalidity or unenforceability shall attach only to such provision and shall not in any way affect or render invalid or unenforceable any other provision of the BAA.
. Nothing in the BAA shall be deemed to:
- Create any rights in third parties; or
- Waive the attorney-client, work product, or other privilege between Practice and OTTO arising under applicable law, except to the limited extent necessary to comply with the requirements of Section 2.8 or applicable law.
- Entire Agreement
. The BAA constitutes the complete agreement between OTTO and Practice relating to the matters specified in the BAA, and supersedes all prior representations or agreements, whether oral or written, with respect to such matters. No oral modification or waiver of any of the provisions of the BAA shall be binding on either OTTO or Practice.